Decoding distributed ledger transaction records

ABSTRACT

Systems and methods for decoding distributed ledger transactions by data intake and query systems. An example method includes: receiving a transaction of a distributed ledger, wherein the transaction includes transaction data and an identifier of an account of the distributed ledger; receiving a bytecode module, wherein the bytecode module is associated with the account of the distributed ledger; computing a bytecode digital fingerprint associated with the bytecode module; identifying, among a plurality of stored application binary interface (ABI) definitions, an ABI definition having an ABI digital fingerprint that matches the bytecode digital fingerprint; and producing decoded transaction data by decoding, using the identified ABI definition, the transaction data.

RELATED APPLICATIONS

This application is a continuation-in-part of U.S. patent applicationSer. No. 17/085,978 filed on Oct. 30, 2020, which is incorporated byreference herein in its entirety.

TECHNICAL FIELD

Embodiments of the present disclosure are generally related to dataintake and query systems, and more specifically, to decoding distributedledger transaction records by data intake and query systems.

BACKGROUND

A distributed ledger may include multiple nodes, such that each node maybe associated with one or more distributed ledger accounts. Thedistributed ledger may implement a transaction-based state machine,which transitions to a new state based on a set of inputs represented bytransactions.

BRIEF DESCRIPTION OF THE DRAWINGS

The examples described herein will be understood more fully from thedetailed description given below and from the accompanying drawings,which, however, should not be taken to limit the application to thespecific examples, but are for explanation and understanding.

FIG. 1 is a block diagram of an example networked computer environment,in accordance with example embodiments;

FIG. 2 is a block diagram of an example data intake and query system, inaccordance with example embodiments;

FIG. 3 is a block diagram of an example cloud-based data intake andquery system, in accordance with example embodiments;

FIG. 4 is a block diagram of an example data intake and query systemthat performs searches across external data systems, in accordance withexample embodiments;

FIG. 5A is a flowchart of an example method that illustrates howindexers process, index, and store data received from forwarders, inaccordance with example embodiments;

FIG. 5B is a block diagram of a data structure in which time-stampedevent data can be stored in a data store, in accordance with exampleembodiments;

FIG. 5C provides a visual representation of the manner in which apipelined search language or query operates, in accordance with exampleembodiments;

FIG. 6A is a flow diagram of an example method that illustrates how asearch head and indexers perform a search query, in accordance withexample embodiments;

FIG. 6B provides a visual representation of an example manner in which apipelined command language or query operates, in accordance with exampleembodiments;

FIG. 7A is a diagram of an example scenario where a common customeridentifier is found among log data received from three disparate datasources, in accordance with example embodiments;

FIG. 7B illustrates an example of processing keyword searches and fieldsearches, in accordance with disclosed embodiments;

FIG. 7C illustrates an example of creating and using an inverted index,in accordance with example embodiments;

FIG. 7D depicts a flowchart of example use of an inverted index in apipelined search query, in accordance with example embodiments;

FIG. 8A is an interface diagram of an example user interface for asearch screen, in accordance with example embodiments;

FIG. 8B is an interface diagram of an example user interface for a datasummary dialog that enables a user to select various data sources, inaccordance with example embodiments;

FIGS. 9, 10, 11A, 11B, 11C, 11D, 12, 13, 14, and 15 are interfacediagrams of example report generation user interfaces, in accordancewith example embodiments;

FIG. 16 is an example search query received from a client and executedby search peers, in accordance with example embodiments;

FIG. 17A is an interface diagram of an example user interface of a keyindicators view, in accordance with example embodiments;

FIG. 17B is an interface diagram of an example user interface of anincident review dashboard, in accordance with example embodiments;

FIG. 17C is a tree diagram of an example a proactive monitoring tree, inaccordance with example embodiments;

FIG. 17D is an interface diagram of an example a user interfacedisplaying both log data and performance data, in accordance withexample embodiments;

FIG. 18 is a block diagram of an embodiment of the data processingenvironment;

FIGS. 19A and 19B are block diagrams illustrating embodiments of adistributed ledger;

FIG. 20 is a block diagram illustrating an embodiment of a blockchain;

FIGS. 21A-21D are data flow diagrams illustrating an embodiment of adistributed ledger system processing a transaction;

FIG. 22 is a block diagram illustrating an embodiment of an environmentthat includes one or more nodes as a data source for the data intake andquery system;

FIG. 23 is a data flow diagram illustrating transaction decoding by adistributed ledger connector of the data intake and query system 108operating in accordance with aspects of the present disclosure;

FIG. 24 is a data flow diagram of computing a digital fingerprint of asmart contract, in accordance with aspects of the present disclosure;

FIG. 25 is a flow diagram of an embodiment of a method 2500 of decodingdistributed ledger transactions, in accordance with aspects of thepresent disclosure; and

FIG. 26 is a flow diagram of an embodiment of a method 2600 of decodingtransaction data, in accordance with aspects of the present disclosure.

DETAILED DESCRIPTION

Described herein are systems and methods for decoding distributed ledgertransaction records. The decoded transaction records may be utilized fordata extraction and visualization, as well as for further processing,such as data analysis, alert triggering, and/or reporting, as describedin more detail herein below.

An example distributed ledger may include multiple nodes, such that eachnode may be associated with one or more distributed ledger accounts. Thedistributed ledger may implement a transaction-based state machine,which transitions to a new state based on a set of inputs represented bytransaction records (referred to as “transactions” for conciseness). Adistributed ledger may be cryptographically-protected, e.g., bycryptographically encrypting the transaction records, such thatreversing a transaction becomes computationally infeasible. In oneembodiment, the cryptographically-protected distributed ledger may beimplemented by a blockchain.

A transaction may encode a message that is sent by a source account to adestination account. The message, which is signed by the private key ofthe source account, may specify a transfer of a certain amount of adigital asset from the source account to the destination account.

Some distributed ledgers (e.g., Ethereum) support a special accounttype, which is referred to as “contract account.” A message to acontract account activates its executable code implementing a “smartcontract,” which may evaluate specified conditions and perform variousactions (e.g., transfer cryptocurrency tokens between accounts, writedata to internal storage, mint new cryptocurrency tokens, performcalculation, create new smart contracts, etc.). The nodes of thedistributed ledger may collectively implement a distributed virtualmachine (e.g., the Ethereum Virtual Machine (EVM)) for executing thecode implementing smart contracts. A smart contract can be created in ahigh level programming language (such as Solidity) and then compiledinto the EVM bytecode.

In various implementations, a transaction may further specify variousother parameters, e.g., the amount of a digital asset to be transferredto a node that has successfully processed the transaction. A transactionmay be cryptographically signed by the originating node.

To cause a state transition of the blockchain, a transaction should bevalidated by at least one node, which would then include it, togetherwith other transactions, into a block that is appended to theblockchain. The block also includes a “proof of work” value that hasbeen computed by the node that created the block in order to enforce asequential order of blocks. The proof of work value is produced bysolving a computationally intensive task (e.g., computing padding bitsto be appended to the block in order to produce a predetermined value ofthe block hash). Some distributed ledgers, such as Ethereum, may rely onother consensus mechanisms, such as Clique, IBFT, PBFT, or use proof ofstake instead of proof of work to order blocks. Thus, a distributedledger may implement a cryptographically protected distributed immutabledatabase and a distributed virtual machine for executing smartcontracts.

A data intake and query system operating in accordance with aspects ofthe present disclosure can implement a Getting-Data-In (GDI) component(such as data adapter, monitor, forwarder, connector, or the like) inorder to ingest the distributed ledger transaction data, e.g., byreading log files maintained by one or more nodes of the distributedledger, listening to the blocks, transactions, and events that arebroadcasted to all participating nodes of a distributed ledger, and/orperforming other actions. The ingested raw data may be aggregated,decoded, visualized, and/or further processed by the data intake andquery system.

As noted herein above, a transaction can include invocation of a smartcontract. Since the bytecode that encodes smart contract invocation doesnot preserve parameter names, meaningful decoding of such a transactionwould require extrinsic knowledge of the meanings of the parameters.Decoding the transaction may be further hindered by potentiallyoverlapping signatures of functions exposed by different smartcontracts, i.e., two or more different functions having the samesignature that encodes the function name and parameter types. In anillustrative example, each of two smart contracts may expose a functionwith the signature transfer(address, uint256). In one smart contract,the second argument (having the type of uint256) may refer to an amountof digital currency being transferred, while in another smart contractthe second argument may refer to a token identifier. However, bothfunctions would have the same signature, thus presenting a challenge forthe transaction decoder.

The systems and methods of the present disclosure overcome theabove-noted challenges by implementing digital fingerprinting of smartcontracts, which facilitates associating a smart contract of interestwith a known application binary interface (ABI) definition. “Digitalfingerprint” herein refers to a numeric value (represented by a bitstring of a predetermined size) which can be unambiguously derived fromthe smart contract bytecode encoding or ABI definition, such that theprobability of two different smart contracts (e.g., smart contracts thathave different ABI definitions) having the same digital fingerprintvalue is very low (e.g., below a predetermined probability threshold).

In an illustrative example, the digital fingerprint of a smart contractcan be represented by a hash of all function and event signaturesexposed by the contract ABI. Thus, a transaction decoder implemented inaccordance with aspects of the present disclosure may compute a digitalfingerprint for the EVM bytecode implementing a smart contract invokedby a distributed ledger transaction and compare the computed digitalfingerprint with known digital fingerprints of ABI definitions of smartcontracts, the database of which can be maintained by the data intakeand query system. Upon identifying a matching smart contract among thestored ABI definitions, signatures of the functions and events of theidentified matching smart contracts, along with other pertinentinformation that can be stored in the smart contract ABI databasemaintained by the query intake and analysis system, can be utilized fordecoding the distributed ledger transaction. The decoded transactiondata, including the function name, the parameters names, types, andvalues, may be fed to a data intake and query system, such as theSPLUNK® ENTERPRISE system developed by Splunk Inc. of San Francisco,California, as described in more detail herein below.

The SPLUNK® ENTERPRISE system is the leading platform for providingreal-time operational intelligence that enables organizations tocollect, index, and search machine data from various websites,applications, servers, networks, and mobile devices that power theirbusinesses. The data intake and query system is particularly useful foranalyzing data which is commonly found in system log files, networkdata, and other data input sources. Although many of the techniquesdescribed herein are explained with reference to a data intake and querysystem similar to the SPLUNK® ENTERPRISE system, these techniques arealso applicable to other types of data systems.

In the data intake and query system, machine data are collected andstored as “events”. An event comprises a portion of machine data and isassociated with a specific point in time. The portion of machine datamay reflect activity in an IT environment and may be produced by acomponent of that IT environment, where the events may be searched toprovide insight into the IT environment, thereby improving theperformance of components in the IT environment. Events may be derivedfrom “time series data,” where the time series data comprises a sequenceof data points (e.g., performance measurements from a computer system,etc.) that are associated with successive points in time. In general,each event has a portion of machine data that is associated with atimestamp that is derived from the portion of machine data in the event.A timestamp of an event may be determined through interpolation betweentemporally proximate events having known timestamps or may be determinedbased on other configurable rules for associating timestamps withevents.

In some instances, machine data can have a predefined format, where dataitems with specific data formats are stored at predefined locations inthe data. For example, the machine data may include data associated withfields in a database table. In other instances, machine data may nothave a predefined format (e.g., may not be at fixed, predefinedlocations), but may have repeatable (e.g., non-random) patterns. Thismeans that some machine data can comprise various data items ofdifferent data types that may be stored at different locations withinthe data. For example, when the data source is an operating system log,an event can include one or more lines from the operating system logcontaining machine data that includes different types of performance anddiagnostic information associated with a specific point in time (e.g., atimestamp).

Examples of components which may generate machine data from which eventscan be derived include, but are not limited to, web servers, applicationservers, databases, firewalls, routers, operating systems, and softwareapplications that execute on computer systems, mobile devices, sensors,Internet of Things (IoT) devices, distributed ledger nodes, etc. Themachine data generated by such data sources can include, for example andwithout limitation, server log files, activity log files, configurationfiles, messages, network packet data, performance measurements, sensormeasurements, distributed ledger transactions, etc.

The data intake and query system uses a flexible schema to specify howto extract information from events. A flexible schema may be developedand redefined as needed. Note that a flexible schema may be applied toevents “on the fly,” when it is needed (e.g., at search time, indextime, ingestion time, etc.). When the schema is not applied to eventsuntil search time, the schema may be referred to as a “late-bindingschema.”

During operation, the data intake and query system receives machine datafrom any type and number of sources (e.g., one or more system logs,streams of network packet data, sensor data, application program data,error logs, stack traces, system performance data, etc.). The systemparses the machine data to produce events each having a portion ofmachine data associated with a timestamp. The system stores the eventsin a data store. The system enables users to run queries against thestored events to, for example, retrieve events that meet criteriaspecified in a query, such as criteria indicating certain keywords orhaving specific values in defined fields. As used herein, the term“field” refers to a location in the machine data of an event containingone or more values for a specific data item. A field may be referencedby a field name associated with the field. As will be described in moredetail herein, a field is defined by an extraction rule (e.g., a regularexpression) that derives one or more values or a sub-portion of textfrom the portion of machine data in each event to produce a value forthe field for that event. The set of values produced aresemantically-related (such as IP address), even though the machine datain each event may be in different formats (e.g., semantically-relatedvalues may be in different positions in the events derived fromdifferent sources).

As described above, the system stores the events in a data store. Theevents stored in the data store are field-searchable, wherefield-searchable herein refers to the ability to search the machine data(e.g., the raw machine data) of an event based on a field specified insearch criteria. For example, a search having criteria that specifies afield name “UserID” may cause the system to field-search the machinedata of events to identify events that have the field name “UserID.” Inanother example, a search having criteria that specifies a field name“UserID” with a corresponding field value “12345” may cause the systemto field-search the machine data of events to identify events havingthat field-value pair (e.g., field name “UserID” with a correspondingfield value of “12345”). Events are field-searchable using one or moreconfiguration files associated with the events. Each configuration fileincludes one or more field names, where each field name is associatedwith a corresponding extraction rule and a set of events to which thatextraction rule applies. The set of events to which an extraction ruleapplies may be identified by metadata associated with the set of events.For example, an extraction rule may apply to a set of events that areeach associated with a particular host, source, or source type. Whenevents are to be searched based on a particular field name specified ina search, the system uses one or more configuration files to determinewhether there is an extraction rule for that particular field name thatapplies to each event that falls within the criteria of the search. Ifso, the event is considered as part of the search results (andadditional processing may be performed on that event based on criteriaspecified in the search). If not, the next event is similarly analyzed,and so on.

As noted above, the data intake and query system utilizes a late-bindingschema while performing queries on events. One aspect of a late-bindingschema is applying extraction rules to events to extract values forspecific fields during search time. More specifically, the extractionrule for a field can include one or more instructions that specify howto extract a value for the field from an event. An extraction rule cangenerally include any type of instruction for extracting values fromevents. In some cases, an extraction rule comprises a regularexpression, where a sequence of characters forms a search pattern. Anextraction rule comprising a regular expression is referred to herein asa regex rule. The system applies a regex rule to an event to extractvalues for a field associated with the regex rule, where the values areextracted by searching the event for the sequence of characters definedin the regex rule.

In the data intake and query system, a field extractor may be configuredto automatically generate extraction rules for certain fields in theevents when the events are being created, indexed, or stored, orpossibly at a later time. Alternatively, a user may manually defineextraction rules for fields using a variety of techniques. In contrastto a conventional schema for a database system, a late-binding schema isnot defined at data ingestion time. Instead, the late-binding schema canbe developed on an ongoing basis until the time a query is actuallyexecuted. This means that extraction rules for the fields specified in aquery may be provided in the query itself, or may be located duringexecution of the query. Hence, as a user learns more about the data inthe events, the user can continue to refine the late-binding schema byadding new fields, deleting fields, or modifying the field extractionrules for use the next time the schema is used by the system. Becausethe data intake and query system maintains the underlying machine dataand uses a late-binding schema for searching the machine data, itenables a user to continue investigating and learn valuable insightsabout the machine data.

In some embodiments, a common field name may be used to reference two ormore fields containing equivalent and/or similar data items, even thoughthe fields may be associated with different types of events thatpossibly have different data formats and different extraction rules. Byenabling a common field name to be used to identify equivalent and/orsimilar fields from different types of events generated by disparatedata sources, the system facilitates use of a “common information model”(CIM) across the disparate data sources (further discussed with respectto FIG. 7A).

FIG. 1 is a block diagram of an example networked computer environment100, in accordance with example embodiments. Those skilled in the artwould understand that FIG. 1 represents one example of a networkedcomputer system and other embodiments may use different arrangements.

The networked computer system 100 comprises one or more computingdevices. These one or more computing devices comprise any combination ofhardware and software configured to implement the various logicalcomponents described herein. For example, the one or more computingdevices may include one or more memories that store instructions forimplementing the various components described herein, one or morehardware processors configured to execute the instructions stored in theone or more memories, and various data repositories in the one or morememories for storing data structures utilized and manipulated by thevarious components.

In some embodiments, one or more client devices 102 are coupled to oneor more host devices 106 and a data intake and query system 108 via oneor more networks 104. Networks 104 broadly represent one or more LANs,WANs, cellular networks (e.g., LTE, HSPA, 3G, and other cellulartechnologies), and/or networks using any of wired, wireless, terrestrialmicrowave, or satellite links, and may include the public Internet.

In the illustrated embodiment, a system 100 includes one or more hostdevices 106. Host devices 106 may broadly include any number ofcomputers, virtual machine instances, and/or data centers that areconfigured to host or execute one or more instances of host applications114. In general, a host device 106 may be involved, directly orindirectly, in processing requests received from client devices 102.Each host device 106 may comprise, for example, one or more of a networkdevice, a web server, an application server, a database server, etc. Acollection of host devices 106 may be configured to implement anetwork-based service. For example, a provider of a network-basedservice may configure one or more host devices 106 and host applications114 (e.g., one or more web servers, application servers, databaseservers, etc.) to collectively implement the network-based application.

In general, client devices 102 communicate with one or more hostapplications 114 to exchange information. The communication between aclient device 102 and a host application 114 may, for example, be basedon the Hypertext Transfer Protocol (HTTP) or any other network protocol.Content delivered from the host application 114 to a client device 102may include, for example, HTML documents, media content, etc. Thecommunication between a client device 102 and host application 114 mayinclude sending various requests and receiving data packets. Forexample, in general, a client device 102 or application running on aclient device may initiate communication with a host application 114 bymaking a request for a specific resource (e.g., based on an HTTPrequest), and the application server may respond with the requestedcontent stored in one or more response packets.

In the illustrated embodiment, one or more of host applications 114 maygenerate various types of performance data during operation, includingevent logs, network data, sensor data, and other types of machine data.For example, a host application 114 comprising a web server may generateone or more web server logs in which details of interactions between theweb server and any number of client devices 102 is recorded. As anotherexample, a host device 106 comprising a router may generate one or morerouter logs that record information related to network traffic managedby the router. As yet another example, a host application 114 comprisinga database server may generate one or more logs that record informationrelated to requests sent from other host applications 114 (e.g., webservers or application servers) for data managed by the database server.

Client devices 102 of FIG. 1 represent any computing device capable ofinteracting with one or more host devices 106 via a network 104.Examples of client devices 102 may include, without limitation, smartphones, tablet computers, handheld computers, wearable devices, laptopcomputers, desktop computers, servers, portable media players, gamingdevices, and so forth. In general, a client device 102 can provideaccess to different content, for instance, content provided by one ormore host devices 106, etc. Each client device 102 may comprise one ormore client applications 110, described in more detail in a separatesection hereinafter.

In some embodiments, each client device 102 may host or execute one ormore client applications 110 that are capable of interacting with one ormore host devices 106 via one or more networks 104. For instance, aclient application 110 may be or comprise a web browser that a user mayuse to navigate to one or more websites or other resources provided byone or more host devices 106. As another example, a client application110 may comprise a mobile application or “app.” For example, an operatorof a network-based service hosted by one or more host devices 106 maymake available one or more mobile apps that enable users of clientdevices 102 to access various resources of the network-based service. Asyet another example, client applications 110 may include backgroundprocesses that perform various operations without direct interactionfrom a user. A client application 110 may include a “plug-in” or“extension” to another application, such as a web browser plug-in orextension.

In some embodiments, a client application 110 may include a monitoringcomponent 112. At a high level, the monitoring component 112 comprises asoftware component or other logic that facilitates generatingperformance data related to a client device's operating state, includingmonitoring network traffic sent and received from the client device andcollecting other device and/or application-specific information.Monitoring component 112 may be an integrated component of a clientapplication 110, a plug-in, an extension, or any other type of add-oncomponent. Monitoring component 112 may also be a stand-alone process.

In some embodiments, a monitoring component 112 may be created when aclient application 110 is developed, for example, by an applicationdeveloper using a software development kit (SDK). The SDK may includecustom monitoring code that can be incorporated into the codeimplementing a client application 110. When the code is converted to anexecutable application, the custom code implementing the monitoringfunctionality can become part of the application itself.

In some embodiments, an SDK or other code for implementing themonitoring functionality may be offered by a provider of a data intakeand query system, such as a system 108. In such cases, the provider ofthe system 108 can implement the custom code so that performance datagenerated by the monitoring functionality is sent to the system 108 tofacilitate analysis of the performance data by a developer of the clientapplication or other users.

In some embodiments, the custom monitoring code may be incorporated intothe code of a client application 110 in a number of different ways, suchas the insertion of one or more lines in the client application codethat call or otherwise invoke the monitoring component 112. As such, adeveloper of a client application 110 can add one or more lines of codeinto the client application 110 to trigger the monitoring component 112at desired points during execution of the application. Code thattriggers the monitoring component may be referred to as a monitortrigger. For instance, a monitor trigger may be included at or near thebeginning of the executable code of the client application 110 such thatthe monitoring component 112 is initiated or triggered as theapplication is launched, or included at other points in the code thatcorrespond to various actions of the client application, such as sendinga network request or displaying a particular interface.

In some embodiments, the monitoring component 112 may monitor one ormore aspects of network traffic sent and/or received by a clientapplication 110. For example, the monitoring component 112 may beconfigured to monitor data packets transmitted to and/or from one ormore host applications 114. Incoming and/or outgoing data packets can beread or examined to identify network data contained within the packets,for example, and other aspects of data packets can be analyzed todetermine a number of network performance statistics. Monitoring networktraffic may enable information to be gathered particular to the networkperformance associated with a client application 110 or set ofapplications.

In some embodiments, network performance data refers to any type of datathat indicates information about the network and/or network performance.Network performance data may include, for instance, a URL requested, aconnection type (e.g., HTTP, HTTPS, etc.), a connection start time, aconnection end time, an HTTP status code, request length, responselength, request headers, response headers, connection status (e.g.,completion, response time(s), failure, etc.), and the like. Uponobtaining network performance data indicating performance of thenetwork, the network performance data can be transmitted to a dataintake and query system 108 for analysis.

Upon developing a client application 110 that incorporates a monitoringcomponent 112, the client application 110 can be distributed to clientdevices 102. Applications generally can be distributed to client devices102 in any manner, or they can be pre-loaded. In some cases, theapplication may be distributed to a client device 102 via an applicationmarketplace or other application distribution system. For instance, anapplication marketplace or other application distribution system mightdistribute the application to a client device based on a request fromthe client device to download the application.

Examples of functionality that enables monitoring performance of aclient device are described in U.S. patent application Ser. No.14/524,748, entitled “UTILIZING PACKET HEADERS TO MONITOR NETWORKTRAFFIC IN ASSOCIATION WITH A CLIENT DEVICE”, filed on 27 Oct. 2014, andwhich is hereby incorporated by reference in its entirety for allpurposes.

In some embodiments, the monitoring component 112 may also monitor andcollect performance data related to one or more aspects of theoperational state of a client application 110 and/or client device 102.For example, a monitoring component 112 may be configured to collectdevice performance information by monitoring one or more client deviceoperations, or by making calls to an operating system and/or one or moreother applications executing on a client device 102 for performanceinformation. Device performance information may include, for instance, acurrent wireless signal strength of the device, a current connectiontype and network carrier, current memory performance information, ageographic location of the device, a device orientation, and any otherinformation related to the operational state of the client device.

In some embodiments, the monitoring component 112 may also monitor andcollect other device profile information including, for example, a typeof client device, a manufacturer and model of the device, versions ofvarious software applications installed on the device, and so forth.

In general, a monitoring component 112 may be configured to generateperformance data in response to a monitor trigger in the code of aclient application 110 or other triggering application event, asdescribed above, and to store the performance data in one or more datarecords. Each data record, for example, may include a collection offield-value pairs, each field-value pair storing a particular item ofperformance data in association with a field for the item. For example,a data record generated by a monitoring component 112 may include a“network Latency” field (not shown in the Figure) in which a value isstored. This field indicates a network latency measurement associatedwith one or more network requests. The data record may include a “state”field to store a value indicating a state of a network connection, andso forth for any number of aspects of collected performance data.

FIG. 2 is a block diagram of an example data intake and query system108, in accordance with example embodiments. System 108 includes one ormore forwarders 204 that receive data from a variety of input datasources 202, and one or more indexers 206 that process and store thedata in one or more data stores 208. These forwarders 204 and indexers206 can comprise separate computer systems, or may alternativelycomprise separate processes executing on one or more computer systems.

Each data source 202 broadly represents a distinct source of data thatcan be consumed by system 108. Examples of a data sources 202 include,without limitation, data files, directories of files, data sent over anetwork, event logs, registries, etc.

During operation, the forwarders 204 identify which indexers 206 receivedata collected from a data source 202 and forward the data to theappropriate indexers. Forwarders 204 can also perform operations on thedata before forwarding, including removing extraneous data, detectingtimestamps in the data, parsing data, indexing data, routing data basedon criteria relating to the data being routed, and/or performing otherdata transformations.

In some embodiments, a forwarder 204 may comprise a service accessibleto client devices 102 and host devices 106 via a network 104. Forexample, one type of forwarder 204 may be capable of consuming vastamounts of real-time data from a potentially large number of clientdevices 102 and/or host devices 106. The forwarder 204 may, for example,comprise a computing device which implements multiple data pipelines or“queues” to handle forwarding of network data to indexers 206. Aforwarder 204 may also perform many of the functions that are performedby an indexer. For example, a forwarder 204 may perform keywordextractions on raw data or parse raw data to create events. A forwarder204 may generate time stamps for events. Additionally, or alternatively,a forwarder 204 may perform routing of events to indexers 206. Datastore 208 may contain events derived from machine data from a variety ofsources all pertaining to the same component in an IT environment, andthis data may be produced by the machine in question or by othercomponents in the IT environment.

The example data intake and query system 108 described in reference toFIG. 2 comprises several system components, including one or moreforwarders, indexers, and search heads. In some environments, a user ofa data intake and query system 108 may install and configure, oncomputing devices owned and operated by the user, one or more softwareapplications that implement some or all of these system components. Forexample, a user may install a software application on server computersowned by the user and configure each server to operate as one or more ofa forwarder, an indexer, a search head, etc. This arrangement generallymay be referred to as an “on-premises” solution. That is, the system 108is installed and operates on computing devices directly controlled bythe user of the system. Some users may prefer an on-premises solutionbecause it may provide a greater level of control over the configurationof certain aspects of the system (e.g., security, privacy, standards,controls, etc.). However, other users may instead prefer an arrangementin which the user is not directly responsible for providing and managingthe computing devices upon which various components of system 108operate.

In one embodiment, to provide an alternative to an entirely on-premisesenvironment for system 108, one or more of the components of a dataintake and query system instead may be provided as a cloud-basedservice. In this context, a cloud-based service refers to a servicehosted by one more computing resources that are accessible to end usersover a network, for example, by using a web browser or other applicationon a client device to interface with the remote computing resources. Forexample, a service provider may provide a cloud-based data intake andquery system by managing computing resources configured to implementvarious aspects of the system (e.g., forwarders, indexers, search heads,etc.) and by providing access to the system to end users via a network.Typically, a user may pay a subscription or other fee to use such aservice. Each subscribing user of the cloud-based service may beprovided with an account that enables the user to configure a customizedcloud-based system based on the user's preferences.

FIG. 3 illustrates a block diagram of an example cloud-based data intakeand query system. Similar to the system of FIG. 2 , the networkedcomputer system 300 includes input data sources 202 and forwarders 204.These input data sources and forwarders may be in a subscriber's privatecomputing environment. Alternatively, they might be directly managed bythe service provider as part of the cloud service. In the example system300, one or more forwarders 204 and client devices 302 are coupled to acloud-based data intake and query system 306 via one or more networks304. Network 304 broadly represents one or more LANs, WANs, cellularnetworks, intranetworks, internetworks, etc., using any of wired,wireless, terrestrial microwave, satellite links, etc., and may includethe public Internet, and is used by client devices 302 and forwarders204 to access the system 306. Similar to the system of 38, each of theforwarders 204 may be configured to receive data from an input sourceand to forward the data to other components of the system 306 forfurther processing.

In some embodiments, a cloud-based data intake and query system 306 maycomprise a plurality of system instances 308. In general, each systeminstance 308 may include one or more computing resources managed by aprovider of the cloud-based system 306 made available to a particularsubscriber. The computing resources comprising a system instance 308may, for example, include one or more servers or other devicesconfigured to implement one or more forwarders, indexers, search heads,and other components of a data intake and query system, similar tosystem 108. As indicated above, a subscriber may use a web browser orother application of a client device 302 to access a web portal or otherinterface that enables the subscriber to configure an instance 308.

Providing a data intake and query system as described in reference tosystem 108 as a cloud-based service presents a number of challenges.Each of the components of a system 108 (e.g., forwarders, indexers, andsearch heads) may at times refer to various configuration files storedlocally at each component. These configuration files typically mayinvolve some level of user configuration to accommodate particular typesof data a user desires to analyze and to account for other userpreferences. However, in a cloud-based service context, users typicallymay not have direct access to the underlying computing resourcesimplementing the various system components (e.g., the computingresources comprising each system instance 308) and may desire to makesuch configurations indirectly, for example, using one or more web-basedinterfaces. Thus, the techniques and systems described herein forproviding user interfaces that enable a user to configure source typedefinitions are applicable to both on-premises and cloud-based servicecontexts, or some combination thereof (e.g., a hybrid system where bothan on-premises environment, such as SPLUNK® ENTERPRISE, and acloud-based environment, such as SPLUNK CLOUD □, are centrally visible).

FIG. 4 shows a block diagram of an example of a data intake and querysystem 108 that provides transparent search facilities for data systemsthat are external to the data intake and query system. Such facilitiesare available in the Splunk® Analytics for Hadoop® system provided bySplunk Inc. of San Francisco, California. Splunk® Analytics for Hadoop®represents an analytics platform that enables business and IT teams torapidly explore, analyze, and visualize data in Hadoop® and NoSQL datastores.

The search head 210 of the data intake and query system receives searchrequests from one or more client devices 404 over network connections420. As discussed above, the data intake and query system 108 may residein an enterprise location, in the cloud, etc. FIG. 4 illustrates thatmultiple client devices 404 a, 404 b . . . 404 n may communicate withthe data intake and query system 108. The client devices 404 maycommunicate with the data intake and query system using a variety ofconnections. For example, one client device in FIG. 4 is illustrated ascommunicating over an Internet (Web) protocol, another client device isillustrated as communicating via a command line interface, and anotherclient device is illustrated as communicating via a software developerkit (SDK).

The search head 210 analyzes the received search request to identifyrequest parameters. If a search request received from one of the clientdevices 404 references an index maintained by the data intake and querysystem, then the search head 210 connects to one or more indexers 206 ofthe data intake and query system for the index referenced in the requestparameters. That is, if the request parameters of the search requestreference an index, then the search head accesses the data in the indexvia the indexer. The data intake and query system 108 may include one ormore indexers 206, depending on system access resources andrequirements. As described further below, the indexers 206 retrieve datafrom their respective local data stores 208 as specified in the searchrequest. The indexers and their respective data stores can comprise oneor more storage devices and typically reside on the same system, thoughthey may be connected via a local network connection.

If the request parameters of the received search request reference anexternal data collection, which is not accessible to the indexers 206 orunder the management of the data intake and query system, then thesearch head 210 can access the external data collection through anExternal Result Provider (ERP) process 410. An external data collectionmay be referred to as a “virtual index” (plural, “virtual indices”). AnERP process provides an interface through which the search head 210 mayaccess virtual indices.

Thus, a search reference to an index of the system relates to a locallystored and managed data collection. In contrast, a search reference to avirtual index relates to an externally stored and managed datacollection, which the search head may access through one or more ERPprocesses 410, 412. FIG. 4 shows two ERP processes 410, 412 that connectto respective remote (external) virtual indices, which are indicated asa Hadoop or another system 414 (e.g., Amazon S3, Amazon EMR, otherHadoop® Compatible File Systems (HCFS), etc.) and a relational databasemanagement system (RDBMS) 416. Other virtual indices may include otherfile organizations and protocols, such as Structured Query Language(SQL) and the like. The ellipses between the ERP processes 410, 412indicate optional additional ERP processes of the data intake and querysystem 108. An ERP process may be a computer process that is initiatedor spawned by the search head 210 and is executed by the search dataintake and query system 108. Alternatively, or additionally, an ERPprocess may be process spawned by the search head 210 on the same ordifferent host system as the search head 210 resides.

The search head 210 may spawn a single ERP process in response tomultiple virtual indices referenced in a search request, or the searchhead may spawn different ERP processes for different virtual indices.Generally, virtual indices that share common data configurations orprotocols may share ERP processes. For example, all search queryreferences to a Hadoop file system may be processed by the same ERPprocess, if the ERP process is suitably configured. Likewise, all searchquery references to a SQL database may be processed by the same ERPprocess. In addition, the search head may provide a common ERP processfor common external data source types (e.g., a common vendor may utilizea common ERP process, even if the vendor includes different data storagesystem types, such as Hadoop and SQL). Common indexing schemes also maybe handled by common ERP processes, such as flat text files or Weblogfiles.

The search head 210 determines the number of ERP processes to beinitiated via the use of configuration parameters that are included in asearch request message. Generally, there is a one-to-many relationshipbetween an external results provider “family” and ERP processes. Thereis also a one-to-many relationship between an ERP process andcorresponding virtual indices that are referred to in a search request.For example, using RDBMS, assume two independent instances of such asystem by one vendor, such as one RDBMS for production and another RDBMSused for development. In such a situation, it is likely preferable (butoptional) to use two ERP processes to maintain the independent operationas between production and development data. Both of the ERPs, however,will belong to the same family, because the two RDBMS system types arefrom the same vendor.

The ERP processes 410, 412 receive a search request from the search head210. The search head may optimize the received search request forexecution at the respective external virtual index. Alternatively, theERP process may receive a search request as a result of analysisperformed by the search head or by a different system process. The ERPprocesses 410, 412 can communicate with the search head 210 viaconventional input/output routines (e.g., standard in/standard out,etc.). In this way, the ERP process receives the search request from aclient device such that the search request may be efficiently executedat the corresponding external virtual index.

The ERP processes 410, 412 may be implemented as a process of the dataintake and query system. Each ERP process may be provided by the dataintake and query system, or may be provided by process or applicationproviders who are independent of the data intake and query system. Eachrespective ERP process may include an interface application installed ata computer of the external result provider that ensures propercommunication between the search support system and the external resultprovider. The ERP processes 410, 412 generate appropriate searchrequests in the protocol and syntax of the respective virtual indices414, 416, each of which corresponds to the search request received bythe search head 210. Upon receiving search results from theircorresponding virtual indices, the respective ERP process passes theresult to the search head 210, which may return or display the resultsor a processed set of results based on the returned results to therespective client device.

Client devices 404 may communicate with the data intake and query system108 through a network interface 420, e.g., one or more LANs, WANs,cellular networks, intranetworks, and/or internetworks using any ofwired, wireless, terrestrial microwave, satellite links, etc., and mayinclude the public Internet.

The analytics platform utilizing the External Result Provider processdescribed in more detail in U.S. Pat. No. 8,738,629, entitled “EXTERNALRESULT PROVIDED PROCESS FOR RETRIEVING DATA STORED USING A DIFFERENTCONFIGURATION OR PROTOCOL”, issued on 27 May 2014, U.S. Pat. No.8,738,587, entitled “PROCESSING A SYSTEM SEARCH REQUEST BY RETRIEVINGRESULTS FROM BOTH A NATIVE INDEX AND A VIRTUAL INDEX”, issued on 25 Jul.2013, U.S. patent application Ser. No. 14/266,832, entitled “PROCESSINGA SYSTEM SEARCH REQUEST ACROSS DISPARATE DATA COLLECTION SYSTEMS”, filedon 1 May 2014, and U.S. Pat. No. 9,514,189, entitled “PROCESSING ASYSTEM SEARCH REQUEST INCLUDING EXTERNAL DATA SOURCES”, issued on 6 Dec.2016, each of which is hereby incorporated by reference in its entiretyfor all purposes.

The ERP processes described above may include two operation modes: astreaming mode and a reporting mode. The ERP processes can operate instreaming mode only, in reporting mode only, or in both modessimultaneously. Operating in both modes simultaneously is referred to asmixed mode operation. In a mixed mode operation, the ERP at some pointcan stop providing the search head with streaming results and onlyprovide reporting results thereafter, or the search head at some pointmay start ignoring streaming results it has been using and only usereporting results thereafter.

The streaming mode returns search results in real time, with minimalprocessing, in response to the search request. The reporting modeprovides results of a search request with processing of the searchresults prior to providing them to the requesting search head, which inturn provides results to the requesting client device. ERP operationwith such multiple modes provides greater performance flexibility withregard to report time, search latency, and resource utilization.

In a mixed mode operation, both streaming mode and reporting mode areoperating simultaneously. The streaming mode results (e.g., the machinedata obtained from the external data source) are provided to the searchhead, which can then process the results data (e.g., break the machinedata into events, timestamp it, filter it, etc.) and integrate theresults data with the results data from other external data sources,and/or from data stores of the search head. The search head performssuch processing and can immediately start returning interim (streamingmode) results to the user at the requesting client device;simultaneously, the search head is waiting for the ERP process toprocess the data it is retrieving from the external data source as aresult of the concurrently executing reporting mode.

In some instances, the ERP process initially operates in a mixed mode,such that the streaming mode operates to enable the ERP quickly toreturn interim results (e.g., some of the machined data or unprocesseddata necessary to respond to a search request) to the search head,enabling the search head to process the interim results and beginproviding to the client or search requester interim results that areresponsive to the query. Meanwhile, in this mixed mode, the ERP alsooperates concurrently in reporting mode, processing portions of machinedata in a manner responsive to the search query. Upon determining thatit has results from the reporting mode available to return to the searchhead, the ERP may halt processing in the mixed mode at that time (orsome later time) by stopping the return of data in streaming mode to thesearch head and switching to reporting mode only. The ERP at this pointstarts sending interim results in reporting mode to the search head,which in turn may then present this processed data responsive to thesearch request to the client or search requester. Typically, the searchhead switches from using results from the ERP's streaming mode ofoperation to results from the ERP's reporting mode of operation when thehigher bandwidth results from the reporting mode outstrip the amount ofdata processed by the search head in the streaming mode of ERPoperation.

A reporting mode may have a higher bandwidth because the ERP does nothave to spend time transferring data to the search head for processingall the machine data. In addition, the ERP may optionally direct anotherprocessor to do the processing.

The streaming mode of operation does not need to be stopped to gain thehigher bandwidth benefits of a reporting mode; the search head couldsimply stop using the streaming mode results—and start using thereporting mode results—when the bandwidth of the reporting mode hascaught up with or exceeded the amount of bandwidth provided by thestreaming mode. Thus, a variety of triggers and ways to accomplish asearch head's switch from using streaming mode results to usingreporting mode results may be appreciated by one skilled in the art.

The reporting mode can involve the ERP process (or an external system)performing event breaking, time stamping, filtering of events to matchthe search query request, and calculating statistics on the results. Theuser can request particular types of data, such as if the search queryitself involves types of events, or the search request may ask forstatistics on data, such as on events that meet the search request. Ineither case, the search head understands the query language used in thereceived query request, which may be a proprietary language. Oneexemplary query language is Splunk Processing Language (SPL) developedby the assignee of the application, Splunk Inc. The search headtypically understands how to use that language to obtain data from theindexers, which store data in a format used by the SPLUNK® Enterprisesystem.

The ERP processes support the search head, as the search head is notordinarily configured to understand the format in which data is storedin external data sources such as Hadoop or SQL data systems. Rather, theERP process performs that translation from the query submitted in thesearch support system's native format (e.g., SPL if SPLUNK® ENTERPRISEis used as the search support system) to a search query request formatthat will be accepted by the corresponding external data system. Theexternal data system typically stores data in a different format fromthat of the search support system's native index format, and it utilizesa different query language (e.g., SQL or MapReduce, rather than SPL orthe like).

As noted, the ERP process can operate in the streaming mode alone. Afterthe ERP process has performed the translation of the query request andreceived raw results from the streaming mode, the search head canintegrate the returned data with any data obtained from local datasources (e.g., native to the search support system), other external datasources, and other ERP processes (if such operations were required tosatisfy the terms of the search query). An advantage of mixed modeoperation is that, in addition to streaming mode, the ERP process isalso executing concurrently in reporting mode. Thus, the ERP process(rather than the search head) is processing query results (e.g.,performing event breaking, timestamping, filtering, possibly calculatingstatistics if required to be responsive to the search query request,etc.). It should be apparent to those skilled in the art that additionaltime is needed for the ERP process to perform the processing in such aconfiguration. Therefore, the streaming mode will allow the search headto start returning interim results to the user at the client devicebefore the ERP process can complete sufficient processing to startreturning any search results. The switchover between streaming andreporting mode happens when the ERP process determines that theswitchover is appropriate, such as when the ERP process determines itcan begin returning meaningful results from its reporting mode.

The operation described above illustrates the source of operationallatency: streaming mode has low latency (immediate results) and usuallyhas relatively low bandwidth (fewer results can be returned per unit oftime). In contrast, the concurrently running reporting mode hasrelatively high latency (it has to perform a lot more processing beforereturning any results) and usually has relatively high bandwidth (moreresults can be processed per unit of time). For example, when the ERPprocess does begin returning report results, it returns more processedresults than in the streaming mode, because, e.g., statistics only needto be calculated to be responsive to the search request. That is, theERP process doesn't have to take time to first return machine data tothe search head. As noted, the ERP process could be configured tooperate in streaming mode alone and return just the machine data for thesearch head to process in a way that is responsive to the searchrequest. Alternatively, the ERP process can be configured to operate inthe reporting mode only. Also, the ERP process can be configured tooperate in streaming mode and reporting mode concurrently, as described,with the ERP process stopping the transmission of streaming results tothe search head when the concurrently running reporting mode has caughtup and started providing results. The reporting mode does not requirethe processing of all machine data that is responsive to the searchquery request before the ERP process starts returning results; rather,the reporting mode usually performs processing of chunks of events andreturns the processing results to the search head for each chunk.

For example, an ERP process can be configured to merely return thecontents of a search result file verbatim, with little or no processingof results. That way, the search head performs all processing (such asparsing byte streams into events, filtering, etc.). The ERP process canbe configured to perform additional intelligence, such as analyzing thesearch request and handling all the computation that a native searchindexer process would otherwise perform. In this way, the configured ERPprocess provides greater flexibility in features while operatingaccording to desired preferences, such as response latency and resourcerequirements.

FIG. 5A is a flow chart of an example method that illustrates howindexers process, index, and store data received from forwarders, inaccordance with example embodiments. The data flow illustrated in FIG.5A is provided for illustrative purposes only; those skilled in the artwould understand that one or more of the steps of the processesillustrated in FIG. 5A may be removed or that the ordering of the stepsmay be changed. Furthermore, for the purposes of illustrating a clearexample, one or more particular system components are described in thecontext of performing various operations during each of the data flowstages. For example, a forwarder is described as receiving andprocessing machine data during an input phase; an indexer is describedas parsing and indexing machine data during parsing and indexing phases;and a search head is described as performing a search query during asearch phase. However, other system arrangements and distributions ofthe processing steps across system components may be used.

At block 502, a forwarder receives data from an input source, such as adata source 202 shown in FIG. 2 . A forwarder initially may receive thedata as a raw data stream generated by the input source. For example, aforwarder may receive a data stream from a log file generated by anapplication server, from a stream of network data from a network device,or from any other source of data. In some embodiments, a forwarderreceives the raw data and may segment the data stream into “blocks”,possibly of a uniform data size, to facilitate subsequent processingsteps.

At block 504, a forwarder or other system component annotates each blockgenerated from the raw data with one or more metadata fields. Thesemetadata fields may, for example, provide information related to thedata block as a whole and may apply to each event that is subsequentlyderived from the data in the data block. For example, the metadatafields may include separate fields specifying each of a host, a source,and a source type related to the data block. A host field may contain avalue identifying a host name or IP address of a device that generatedthe data. A source field may contain a value identifying a source of thedata, such as a pathname of a file or a protocol and port related toreceived network data. A source type field may contain a valuespecifying a particular source type label for the data. Additionalmetadata fields may also be included during the input phase, such as acharacter encoding of the data, if known, and possibly other values thatprovide information relevant to later processing steps. In someembodiments, a forwarder forwards the annotated data blocks to anothersystem component (typically an indexer) for further processing.

The data intake and query system allows forwarding of data from one dataintake and query instance to another, or even to a third-party system.The data intake and query system can employ different types offorwarders in a configuration.

In some embodiments, a forwarder may contain the essential componentsneeded to forward data. A forwarder can gather data from a variety ofinputs and forward the data to an indexer for indexing and searching. Aforwarder can also tag metadata (e.g., source, source type, host, etc.).

In some embodiments, a forwarder has the capabilities of theaforementioned forwarder as well as additional capabilities. Theforwarder can parse data before forwarding the data (e.g., can associatea time stamp with a portion of data and create an event, etc.) and canroute data based on criteria such as source or type of event. Theforwarder can also index data locally while forwarding the data toanother indexer.

At block 506, an indexer receives data blocks from a forwarder andparses the data to organize the data into events. In some embodiments,to organize the data into events, an indexer may determine a source typeassociated with each data block (e.g., by extracting a source type labelfrom the metadata fields associated with the data block, etc.) and referto a source type configuration corresponding to the identified sourcetype. The source type definition may include one or more properties thatindicate to the indexer to automatically determine the boundaries withinthe received data that indicate the portions of machine data for events.In general, these properties may include regular expression-based rulesor delimiter rules where, for example, event boundaries may be indicatedby predefined characters or character strings. These predefinedcharacters may include punctuation marks or other special charactersincluding, for example, carriage returns, tabs, spaces, line breaks,etc. If a source type for the data is unknown to the indexer, an indexermay infer a source type for the data by examining the structure of thedata. Then, the indexer can apply an inferred source type definition tothe data to create the events.

At block 508, the indexer determines a timestamp for each event. Similarto the process for parsing machine data, an indexer may again refer to asource type definition associated with the data to locate one or moreproperties that indicate instructions for determining a timestamp foreach event. The properties may, for example, instruct an indexer toextract a time value from a portion of data for the event, tointerpolate time values based on timestamps associated with temporallyproximate events, to create a timestamp based on a time the portion ofmachine data was received or generated, to use the timestamp of aprevious event, or use any other rules for determining timestamps.

At block 510, the indexer associates with each event one or moremetadata fields including a field containing the timestamp determinedfor the event. In some embodiments, a timestamp may be included in themetadata fields. These metadata fields may include any number of“default fields” that are associated with all events, and may alsoinclude one more custom fields as defined by a user. Similar to themetadata fields associated with the data blocks at block 504, thedefault metadata fields associated with each event may include a host,source, and source type field including or in addition to a fieldstoring the timestamp.

At block 512, an indexer may optionally apply one or moretransformations to data included in the events created at block 506. Forexample, such transformations can include removing a portion of an event(e.g., a portion used to define event boundaries, extraneous charactersfrom the event, other extraneous text, etc.), masking a portion of anevent (e.g., masking a credit card number), removing redundant portionsof an event, etc. The transformations applied to events may, forexample, be specified in one or more configuration files and referencedby one or more source type definitions.

FIG. 5C illustrates an illustrative example of machine data can bestored in a data store in accordance with various disclosed embodiments.In other embodiments, machine data can be stored in a flat file in acorresponding bucket with an associated index file, such as a timeseries index or “TSIDX.” As such, the depiction of machine data andassociated metadata as rows and columns in the table of FIG. 5C ismerely illustrative and is not intended to limit the data format inwhich the machine data and metadata is stored in various embodimentsdescribed herein. In one particular embodiment, machine data can bestored in a compressed or encrypted formatted. In such embodiments, themachine data can be stored with or be associated with data thatdescribes the compression or encryption scheme with which the machinedata is stored. The information about the compression or encryptionscheme can be used to decompress or decrypt the machine data, and anymetadata with which it is stored, at search time.

As mentioned above, certain metadata, e.g., host 536, source 537, sourcetype 538 and timestamps 535 can be generated for each event, andassociated with a corresponding portion of machine data 539 when storingthe event data in a data store, e.g., data store 208. Any of themetadata can be extracted from the corresponding machine data, orsupplied or defined by an entity, such as a user or computer system. Themetadata fields can become part of or stored with the event. Note thatwhile the time-stamp metadata field can be extracted from the raw dataof each event, the values for the other metadata fields may bedetermined by the indexer based on information it receives pertaining tothe source of the data separate from the machine data.

While certain default or user-defined metadata fields can be extractedfrom the machine data for indexing purposes, all the machine data withinan event can be maintained in its original condition. As such, inembodiments in which the portion of machine data included in an event isunprocessed or otherwise unaltered, it is referred to herein as aportion of raw machine data. In other embodiments, the port of machinedata in an event can be processed or otherwise altered. As such, unlesscertain information needs to be removed for some reasons (e.g.,extraneous information, confidential information), all the raw machinedata contained in an event can be preserved and saved in its originalform. Accordingly, the data store in which the event records are storedis sometimes referred to as a “raw record data store.” The raw recorddata store contains a record of the raw event data tagged with thevarious default fields.

In FIG. 5C, the first three rows of the table represent events 531, 532,and 533 and are related to a server access log that records requestsfrom multiple clients processed by a server, as indicated by entry of“access.log” in the source column 536.

In the example shown in FIG. 5C, each of the events 531-533 isassociated with a discrete request made from a client device. The rawmachine data generated by the server and extracted from a server accesslog can include the IP address of the client 540, the user id of theperson requesting the document 541, the time the server finishedprocessing the request 542, the request line from the client 543, thestatus code returned by the server to the client 545, the size of theobject returned to the client (in this case, the gif file requested bythe client) 546 and the time spent to serve the request in microseconds544. As seen in FIG. 5C, all the raw machine data retrieved from theserver access log is retained and stored as part of the correspondingevents, 531-533 in the data store.

Event 534 is associated with an entry in a server error log, asindicated by “error.log” in the source column 537 that records errorsthat the server encountered when processing a client request. Similar tothe events related to the server access log, all the raw machine data inthe error log file pertaining to event 534 can be preserved and storedas part of the event 534.

Saving minimally processed or unprocessed machine data in a data storeassociated with metadata fields in the manner similar to that shown inFIG. 5C is advantageous because it allows search of all the machine dataat search time instead of searching only previously specified andidentified fields or field-value pairs. As mentioned above, because datastructures used by various embodiments of the present disclosuremaintain the underlying raw machine data and use a late-binding schemafor searching the raw machines data, it enables a user to continueinvestigating and learn valuable insights about the raw data. In otherwords, the user is not compelled to know about all the fields ofinformation that will be needed at data ingestion time. As a user learnsmore about the data in the events, the user can continue to refine thelate-binding schema by defining new extraction rules, or modifying ordeleting existing extraction rules used by the system.

At blocks 514 and 516, an indexer can optionally generate a keywordindex to facilitate fast keyword searching for events. To build akeyword index, at block 514, the indexer identifies a set of keywords ineach event. At block 516, the indexer includes the identified keywordsin an index, which associates each stored keyword with referencepointers to events containing that keyword (or to locations withinevents where that keyword is located, other location identifiers, etc.).When an indexer subsequently receives a keyword-based query, the indexercan access the keyword index to quickly identify events containing thekeyword.

In some embodiments, the keyword index may include entries for fieldname-value pairs found in events, where a field name-value pair caninclude a pair of keywords connected by a symbol, such as an equals signor colon. This way, events containing these field name-value pairs canbe quickly located. In some embodiments, fields can automatically begenerated for some or all of the field names of the field name-valuepairs at the time of indexing. For example, if the string“dest=10.0.1.2” is found in an event, a field named “dest” may becreated for the event, and assigned a value of “10.0.1.2”.

At block 518, the indexer stores the events with an associated timestampin a data store 208. Timestamps enable a user to search for events basedon a time range. In some embodiments, the stored events are organizedinto “buckets,” where each bucket stores events associated with aspecific time range based on the timestamps associated with each event.This improves time-based searching, as well as allows for events withrecent timestamps, which may have a higher likelihood of being accessed,to be stored in a faster memory to facilitate faster retrieval. Forexample, buckets containing the most recent events can be stored inflash memory rather than on a hard disk. In some embodiments, eachbucket may be associated with an identifier, a time range, and a sizeconstraint.

Each indexer 206 may be responsible for storing and searching a subsetof the events contained in a corresponding data store 208. Bydistributing events among the indexers and data stores, the indexers cananalyze events for a query in parallel. For example, using mapreducetechniques, each indexer returns partial responses for a subset ofevents to a search head that combines the results to produce an answerfor the query. By storing events in buckets for specific time ranges, anindexer may further optimize the data retrieval process by searchingbuckets corresponding to time ranges that are relevant to a query. Insome embodiments, each bucket may be associated with an identifier, atime range, and a size constraint. In certain embodiments, a bucket cancorrespond to a file system directory and the machine data, or events,of a bucket can be stored in one or more files of the file systemdirectory. The file system directory can include additional files, suchas one or more inverted indexes, high performance indexes, permissionsfiles, configuration files, etc.

In some embodiments, each indexer has a home directory and a colddirectory. The home directory of an indexer stores hot buckets and warmbuckets, and the cold directory of an indexer stores cold buckets. A hotbucket is a bucket that is capable of receiving and storing events. Awarm bucket is a bucket that can no longer receive events for storagebut has not yet been moved to the cold directory. A cold bucket is abucket that can no longer receive events and may be a bucket that waspreviously stored in the home directory. The home directory may bestored in faster memory, such as flash memory, as events may be activelywritten to the home directory, and the home directory may typicallystore events that are more frequently searched and thus are accessedmore frequently. The cold directory may be stored in slower and/orlarger memory, such as a hard disk, as events are no longer beingwritten to the cold directory, and the cold directory may typicallystore events that are not as frequently searched and thus are accessedless frequently. In some embodiments, an indexer may also have aquarantine bucket that contains events having potentially inaccurateinformation, such as an incorrect time stamp associated with the eventor a time stamp that appears to be an unreasonable time stamp for thecorresponding event. The quarantine bucket may have events from any timerange; as such, the quarantine bucket may always be searched at searchtime. Additionally, an indexer may store old, archived data in a frozenbucket that is not capable of being searched at search time. In someembodiments, a frozen bucket may be stored in slower and/or largermemory, such as a hard disk, and may be stored in offline and/or remotestorage.

Moreover, events and buckets can also be replicated across differentindexers and data stores to facilitate high availability and disasterrecovery as described in U.S. Pat. No. 9,130,971, entitled “SITE-BASEDSEARCH AFFINITY”, issued on 8 Sep. 2015, and in U.S. patent Ser. No.14/266,817, entitled “MULTI-SITE CLUSTERING”, issued on 1 Sep. 2015,each of which is hereby incorporated by reference in its entirety forall purposes.

FIG. 5B is a block diagram of an example data store 501 that includes adirectory for each index (or partition) that contains a portion of datamanaged by an indexer. FIG. 5B further illustrates details of anembodiment of an inverted index 507B and an event reference array 515associated with inverted index 507B.

The data store 501 can correspond to a data store 208 that stores eventsmanaged by an indexer 206 or can correspond to a different data storeassociated with an indexer 206. In the illustrated embodiment, the datastore 501 includes a main directory 503 associated with a main index anda test directory 505 associated with a test index. However, the datastore 501 can include fewer or more directories. In some embodiments,multiple indexes can share a single directory or all indexes can share acommon directory. Additionally, although illustrated as a single datastore 501, it will be understood that the data store 501 can beimplemented as multiple data stores storing different portions of theinformation shown in FIG. 5B. For example, a single index or partitioncan span multiple directories or multiple data stores, and can beindexed or searched by multiple corresponding indexers.

In the illustrated embodiment of FIG. 5B, the index-specific directories503 and 505 include inverted indexes 507A, 507B and 509A, 509B,respectively. The inverted indexes 507A . . . 507B, and 509A . . . 509Bcan be keyword indexes or field-value pair indexes described herein andcan include less or more information that depicted in FIG. 5B.

In some embodiments, the inverted index 507A . . . 507B, and 509A . . .509B can correspond to a distinct time-series bucket that is managed bythe indexer 206 and that contains events corresponding to the relevantindex (e.g., main index, test index). As such, each inverted index cancorrespond to a particular range of time for an index. Additional files,such as high performance indexes for each time-series bucket of anindex, can also be stored in the same directory as the inverted indexes507A . . . 507B, and 509A . . . 509B. In some embodiments inverted index507A . . . 507B, and 509A . . . 509B can correspond to multipletime-series buckets or inverted indexes 507A . . . 507B, and 509A . . .509B can correspond to a single time-series bucket.

Each inverted index 507A . . . 507B, and 509A . . . 509B can include oneor more entries, such as keyword (or token) entries or field-value pairentries. Furthermore, in certain embodiments, the inverted indexes 507A. . . 507B, and 509A . . . 509B can include additional information, suchas a time range 523 associated with the inverted index or an indexidentifier 525 identifying the index associated with the inverted index507A . . . 507B, and 509A . . . 509B. However, each inverted index 507A. . . 507B, and 509A . . . 509B can include less or more informationthan depicted.

Token entries, such as token entries 511 illustrated in inverted index507B, can include a token 511A (e.g., “error,” “itemID,” etc.) and eventreferences 511B indicative of events that include the token. Forexample, for the token “error,” the corresponding token entry includesthe token “error” and an event reference, or unique identifier, for eachevent stored in the corresponding time-series bucket that includes thetoken “error.” In the illustrated embodiment of FIG. 5B, the error tokenentry includes the identifiers 3, 5, 6, 8, 11, and 12 corresponding toevents managed by the indexer 206 and associated with the index main 503that are located in the time-series bucket associated with the invertedindex 507B.

In some cases, some token entries can be default entries, automaticallydetermined entries, or user specified entries. In some embodiments, theindexer 206 can identify each word or string in an event as a distincttoken and generate a token entry for it. In some cases, the indexer 206can identify the beginning and ending of tokens based on punctuation,spaces, as described in greater detail herein. In certain cases, theindexer 206 can rely on user input or a configuration file to identifytokens for token entries 511, etc. It will be understood that anycombination of token entries can be included as a default, automaticallydetermined, and/or included based on user-specified criteria.

Similarly, field-value pair entries, such as field-value pair entries513 shown in inverted index 507B, can include a field-value pair 513Aand event references 513B indicative of events that include a fieldvalue that corresponds to the field-value pair. For example, for afield-value pair sourcetype::sendmail, a field-value pair entry wouldinclude the field-value pair sourcetype:: sendmail and a uniqueidentifier, or event reference, for each event stored in thecorresponding time-series bucket that includes a sendmail sourcetype.

In some cases, the field-value pair entries 513 can be default entries,automatically determined entries, or user specified entries. As anon-limiting example, the field-value pair entries for the fields host,source, sourcetype can be included in the inverted indexes 507A . . .507B, and 509A . . . 509B as a default. As such, all of the invertedindexes 507A . . . 507B, and 509A . . . 509B can include field-valuepair entries for the fields host, source, sourcetype. As yet anothernon-limiting example, the field-value pair entries for the IP addressfield can be user specified and may only appear in the inverted index507B based on user-specified criteria. As another non-limiting example,as the indexer indexes the events, it can automatically identifyfield-value pairs and create field-value pair entries. For example,based on the indexers review of events, it can identify IP address as afield in each event and add the IP address field-value pair entries tothe inverted index 507B. It will be understood that any combination offield-value pair entries can be included as a default, automaticallydetermined, or included based on user-specified criteria.

Each unique identifier 517, or event reference, can correspond to aunique event located in the time series bucket. However, the same eventreference can be located in multiple entries. For example, if an eventhas a sourcetype splunkd, host wwwl and token “warning,” then the uniqueidentifier for the event will appear in the field-value pair entriessourcetype::splunkd and host::wwwl, as well as the token entry“warning.” With reference to the illustrated embodiment of FIG. 5B andthe event that corresponds to the event reference 3, the event reference3 is found in the field-value pair entries 513 host::hostA,source::sourceB, sourcetype::sourcetypeA, and IP address::91.205.189.15indicating that the event corresponding to the event references is fromhostA, sourceB, of sourcetypeA, and includes 91.205.189.15 in the eventdata.

For some fields, the unique identifier is located in only onefield-value pair entry for a particular field. For example, the invertedindex may include four sourcetype field-value pair entries correspondingto four different sourcetypes of the events stored in a bucket (e.g.,sourcetypes: sendmail, splunkd, web_access, and web_service). Withinthose four sourcetype field-value pair entries, an identifier for aparticular event may appear in only one of the field-value pair entries.With continued reference to the example illustrated embodiment of FIG.5B, since the event reference 7 appears in the field-value pair entrysourcetype::sourcetypeA, then it does not appear in the otherfield-value pair entries for the sourcetype field, includingsourcetype::sourcetypeB, sourcetype::sourcetypeC, andsourcetype::sourcetypeD.

The event references 517 can be used to locate the events in thecorresponding bucket. For example, the inverted index can include, or beassociated with, an event reference array 515. The event reference array515 can include an array entry 517 for each event reference in theinverted index 507B. Each array entry 517 can include locationinformation 519 of the event corresponding to the unique identifier(non-limiting example: seek address of the event), a timestamp 521associated with the event, or additional information regarding the eventassociated with the event reference, etc.

For each token entry 511 or field-value pair entry 513, the eventreference 501Bor unique identifiers can be listed in chronological orderor the value of the event reference can be assigned based onchronological data, such as a timestamp associated with the eventreferenced by the event reference. For example, the event reference 1 inthe illustrated embodiment of FIG. 5B can correspond to thefirst-in-time event for the bucket, and the event reference 12 cancorrespond to the last-in-time event for the bucket. However, the eventreferences can be listed in any order, such as reverse chronologicalorder, ascending order, descending order, or some other order, etc.Further, the entries can be sorted. For example, the entries can besorted alphabetically (collectively or within a particular group), byentry origin (e.g., default, automatically generated, user-specified,etc.), by entry type (e.g., field-value pair entry, token entry, etc.),or chronologically by when added to the inverted index, etc. In theillustrated embodiment of FIG. 5B, the entries are sorted first by entrytype and then alphabetically.

As a non-limiting example of how the inverted indexes 507A . . . 507B,and 509A . . . 509B can be used during a data categorization requestcommand, the indexers can receive filter criteria indicating data thatis to be categorized and categorization criteria indicating how the datais to be categorized. Example filter criteria can include, but is notlimited to, indexes (or partitions), hosts, sources, sourcetypes, timeranges, field identifier, keywords, etc.

Using the filter criteria, the indexer identifies relevant invertedindexes to be searched. For example, if the filter criteria includes aset of partitions, the indexer can identify the inverted indexes storedin the directory corresponding to the particular partition as relevantinverted indexes. Other means can be used to identify inverted indexesassociated with a partition of interest. For example, in someembodiments, the indexer can review an entry in the inverted indexes,such as an index-value pair entry 513 to determine if a particularinverted index is relevant. If the filter criteria does not identify anypartition, then the indexer can identify all inverted indexes managed bythe indexer as relevant inverted indexes.

Similarly, if the filter criteria includes a time range, the indexer canidentify inverted indexes corresponding to buckets that satisfy at leasta portion of the time range as relevant inverted indexes. For example,if the time range is last hour then the indexer can identify allinverted indexes that correspond to buckets storing events associatedwith timestamps within the last hour as relevant inverted indexes.

When used in combination, an index filter criterion specifying one ormore partitions and a time range filter criterion specifying aparticular time range can be used to identify a subset of invertedindexes within a particular directory (or otherwise associated with aparticular partition) as relevant inverted indexes. As such, the indexercan focus the processing to only a subset of the total number ofinverted indexes that the indexer manages.

Once the relevant inverted indexes are identified, the indexer canreview them using any additional filter criteria to identify events thatsatisfy the filter criteria. In some cases, using the known location ofthe directory in which the relevant inverted indexes are located, theindexer can determine that any events identified using the relevantinverted indexes satisfy an index filter criterion. For example, if thefilter criteria includes a partition main, then the indexer candetermine that any events identified using inverted indexes within thepartition main directory (or otherwise associated with the partitionmain) satisfy the index filter criterion.

Furthermore, based on the time range associated with each invertedindex, the indexer can determine that that any events identified using aparticular inverted index satisfies a time range filter criterion. Forexample, if a time range filter criterion is for the last hour and aparticular inverted index corresponds to events within a time range of50 minutes ago to 35 minutes ago, the indexer can determine that anyevents identified using the particular inverted index satisfy the timerange filter criterion. Conversely, if the particular inverted indexcorresponds to events within a time range of 59 minutes ago to 62minutes ago, the indexer can determine that some events identified usingthe particular inverted index may not satisfy the time range filtercriterion.

Using the inverted indexes, the indexer can identify event references(and therefore events) that satisfy the filter criteria. For example, ifthe token “error” is a filter criterion, the indexer can track all eventreferences within the token entry “error.” Similarly, the indexer canidentify other event references located in other token entries orfield-value pair entries that match the filter criteria. The system canidentify event references located in all of the entries identified bythe filter criteria. For example, if the filter criteria include thetoken “error” and field-value pair sourcetype::web_ui, the indexer cantrack the event references found in both the token entry “error” and thefield-value pair entry sourcetype::web_ui. As mentioned previously, insome cases, such as when multiple values are identified for a particularfilter criterion (e.g., multiple sources for a source filter criterion),the system can identify event references located in at least one of theentries corresponding to the multiple values and in all other entriesidentified by the filter criteria. The indexer can determine that theevents associated with the identified event references satisfy thefilter criteria.

In some cases, the indexer can further consult a timestamp associatedwith the event reference to determine whether an event satisfies thefilter criteria. For example, if an inverted index corresponds to a timerange that is partially outside of a time range filter criterion, thenthe indexer can consult a timestamp associated with the event referenceto determine whether the corresponding event satisfies the time rangecriterion. In some embodiments, to identify events that satisfy a timerange, the indexer can review an array, such as the event referencearray 515 that identifies the time associated with the events.Furthermore, as mentioned above using the known location of thedirectory in which the relevant inverted indexes are located (or otherindex identifier), the indexer can determine that any events identifiedusing the relevant inverted indexes satisfy the index filter criterion.

In some cases, based on the filter criteria, the indexer reviews anextraction rule. In certain embodiments, if the filter criteria includesa field name that does not correspond to a field-value pair entry in aninverted index, the indexer can review an extraction rule, which may belocated in a configuration file, to identify a field that corresponds toa field-value pair entry in the inverted index.

For example, the filter criteria includes a field name “sessionID” andthe indexer determines that at least one relevant inverted index doesnot include a field-value pair entry corresponding to the field namesessionID, the indexer can review an extraction rule that identifies howthe sessionID field is to be extracted from a particular host, source,or sourcetype (implicitly identifying the particular host, source, orsourcetype that includes a sessionID field). The indexer can replace thefield name “sessionID” in the filter criteria with the identified host,source, or sourcetype. In some cases, the field name “sessionID” may beassociated with multiples hosts, sources, or sourcetypes, in which case,all identified hosts, sources, and sourcetypes can be added as filtercriteria. In some cases, the identified host, source, or sourcetype canreplace or be appended to a filter criterion, or be excluded. Forexample, if the filter criteria includes a criterion for source S1 andthe “sessionID” field is found in source S2, the source S2 can replaceS1 in the filter criteria, be appended such that the filter criteriaincludes source S1 and source S2, or be excluded based on the presenceof the filter criterion source S1. If the identified host, source, orsourcetype is included in the filter criteria, the indexer can thenidentify a field-value pair entry in the inverted index that includes afield value corresponding to the identity of the particular host,source, or sourcetype identified using the extraction rule.

Once the events that satisfy the filter criteria are identified, thesystem, such as the indexer 206 can categorize the results based on thecategorization criteria. The categorization criteria can includecategories for grouping the results, such as any combination ofpartition, source, sourcetype, or host, or other categories or fields asdesired.

The indexer can use the categorization criteria to identifycategorization criteria-value pairs or categorization criteria values bywhich to categorize or group the results. The categorizationcriteria-value pairs can correspond to one or more field-value pairentries stored in a relevant inverted index, one or more index-valuepairs based on a directory in which the inverted index is located or anentry in the inverted index (or other means by which an inverted indexcan be associated with a partition), or other criteria-value pair thatidentifies a general category and a particular value for that category.The categorization criteria values can correspond to the value portionof the categorization criteria-value pair.

As mentioned, in some cases, the categorization criteria-value pairs cancorrespond to one or more field-value pair entries stored in therelevant inverted indexes. For example, the categorizationcriteria-value pairs can correspond to field-value pair entries of host,source, and sourcetype (or other field-value pair entry as desired). Forinstance, if there are ten different hosts, four different sources, andfive different sourcetypes for an inverted index, then the invertedindex can include ten host field-value pair entries, four sourcefield-value pair entries, and five sourcetype field-value pair entries.The indexer can use the nineteen distinct field-value pair entries ascategorization criteria-value pairs to group the results.

Specifically, the indexer can identify the location of the eventreferences associated with the events that satisfy the filter criteriawithin the field-value pairs, and group the event references based ontheir location. As such, the indexer can identify the particular fieldvalue associated with the event corresponding to the event reference.For example, if the categorization criteria include host and sourcetype,the host field-value pair entries and sourcetype field-value pairentries can be used as categorization criteria-value pairs to identifythe specific host and sourcetype associated with the events that satisfythe filter criteria.

In addition, as mentioned, categorization criteria-value pairs cancorrespond to data other than the field-value pair entries in therelevant inverted indexes. For example, if partition or index is used asa categorization criterion, the inverted indexes may not includepartition field-value pair entries. Rather, the indexer can identify thecategorization criteria-value pair associated with the partition basedon the directory in which an inverted index is located, information inthe inverted index, or other information that associates the invertedindex with the partition, etc. As such a variety of methods can be usedto identify the categorization criteria-value pairs from thecategorization criteria.

Accordingly based on the categorization criteria (and categorizationcriteria-value pairs), the indexer can generate groupings based on theevents that satisfy the filter criteria. As a non-limiting example, ifthe categorization criteria includes a partition and sourcetype, thenthe groupings can correspond to events that are associated with eachunique combination of partition and sourcetype. For instance, if thereare three different partitions and two different sourcetypes associatedwith the identified events, then the six different groups can be formed,each with a unique partition value-sourcetype value combination.Similarly, if the categorization criteria includes partition,sourcetype, and host and there are two different partitions, threesourcetypes, and five hosts associated with the identified events, thenthe indexer can generate up to thirty groups for the results thatsatisfy the filter criteria. Each group can be associated with a uniquecombination of categorization criteria-value pairs (e.g., uniquecombinations of partition value sourcetype value, and host value).

In addition, the indexer can count the number of events associated witheach group based on the number of events that meet the uniquecombination of categorization criteria for a particular group (or matchthe categorization criteria-value pairs for the particular group). Withcontinued reference to the example above, the indexer can count thenumber of events that meet the unique combination of partition,sourcetype, and host for a particular group.

Each indexer communicates the groupings to the search head. The searchhead can aggregate the groupings from the indexers and provide thegroupings for display. In some cases, the groups are displayed based onat least one of the host, source, sourcetype, or partition associatedwith the groupings. In some embodiments, the search head can furtherdisplay the groups based on display criteria, such as a display order ora sort order as described in greater detail above.

As a non-limiting example and with reference to FIG. 5B, consider arequest received by an indexer 206 that includes the following filtercriteria: keyword=error, partition=main, time range=3/1/1716:22.00.000-16:28.00.000, sourcetype=sourcetypeC, host=hostB, and thefollowing categorization criteria: source.

Based on the above criteria, the indexer 206 identifies main directory503 and can ignore test directory 505 and any other partition-specificdirectories. The indexer determines that inverted partition 507B is arelevant partition based on its location within the main directory 503and the time range associated with it. For sake of simplicity in thisexample, the indexer 206 determines that no other inverted indexes inthe main directory 503, such as inverted index 507A satisfy the timerange criterion.

Having identified the relevant inverted index 507B, the indexer reviewsthe token entries 511 and the field-value pair entries 513 to identifyevent references, or events that satisfy all of the filter criteria.

With respect to the token entries 511, the indexer can review the errortoken entry and identify event references 3, 5, 6, 8, 11, 12, indicatingthat the term “error” is found in the corresponding events. Similarly,the indexer can identify event references 4, 5, 6, 8, 9, 10, 11 in thefield-value pair entry sourcetype::sourcetypeC and event references 2,5, 6, 8, 10, 11 in the field-value pair entry host::hostB. As the filtercriteria did not include a source or an IP address field-value pair, theindexer can ignore those field-value pair entries.

In addition to identifying event references found in at least one tokenentry or field-value pair entry (e.g., event references 3, 4, 5, 6, 8,9, 10, 11, 12), the indexer can identify events (and corresponding eventreferences) that satisfy the time range criterion using the eventreference array 1614 (e.g., event references 2, 3, 4, 5, 6, 7, 8, 9,10). Using the information obtained from the inverted index 507B(including the event reference array 515), the indexer 206 can identifythe event references that satisfy all of the filter criteria (e.g.,event references 5, 6, 8).

Having identified the events (and event references) that satisfy all ofthe filter criteria, the indexer 206 can group the event referencesusing the received categorization criteria (source). In doing so, theindexer can determine that event references 5 and 6 are located in thefield-value pair entry source::sourceD (or have matching categorizationcriteria-value pairs) and event reference 8 is located in thefield-value pair entry source::sourceC. Accordingly, the indexer cangenerate a sourceC group having a count of one corresponding toreference 8 and a sourceD group having a count of two corresponding toreferences 5 and 6. This information can be communicated to the searchhead. In turn the search head can aggregate the results from the variousindexers and display the groupings. As mentioned above, in someembodiments, the groupings can be displayed based at least in part onthe categorization criteria, including at least one of host, source,sourcetype, or partition.

It will be understood that a change to any of the filter criteria orcategorization criteria can result in different groupings. As a onenon-limiting example, a request received by an indexer 206 that includesthe following filter criteria: partition=main, time range=3/1/17 3/1/1716:21:20.000-16:28:17.000, and the following categorization criteria:host, source, sourcetype would result in the indexer identifying eventreferences 1-12 as satisfying the filter criteria. The indexer wouldthen generate up to 24 groupings corresponding to the 24 differentcombinations of the categorization criteria-value pairs, including host(hostA, hostB), source (sourceA, sourceB, sourceC, sourceD), andsourcetype (sourcetypeA, sourcetypeB, sourcetypeC). However, as thereare only twelve events identifiers in the illustrated embodiment andsome fall into the same grouping, the indexer generates eight groups andcounts as follows:

-   -   Group 1 (hostA, sourceA, sourcetypeA): 1 (event reference 7)    -   Group 2 (hostA, sourceA, sourcetypeB): 2 (event references 1,        12)    -   Group 3 (hostA, sourceA, sourcetypeC): 1 (event reference 4)    -   Group 4 (hostA, sourceB, sourcetypeA): 1 (event reference 3)    -   Group 5 (hostA, sourceB, sourcetypeC): 1 (event reference 9)    -   Group 6 (hostB, sourceC, sourcetypeA): 1 (event reference 2)    -   Group 7 (hostB, sourceC, sourcetypeC): 2 (event references 8,        11)    -   Group 8 (hostB, sourceD, sourcetypeC): 3 (event references 5, 6,        10)

As noted, each group has a unique combination of categorizationcriteria-value pairs or categorization criteria values. The indexercommunicates the groups to the search head for aggregation with resultsreceived from other indexers. In communicating the groups to the searchhead, the indexer can include the categorization criteria-value pairsfor each group and the count. In some embodiments, the indexer caninclude more or less information. For example, the indexer can includethe event references associated with each group and other identifyinginformation, such as the indexer or inverted index used to identify thegroups.

As another non-limiting examples, a request received by an indexer 206that includes the following filter criteria: partition=main, timerange=3/1/17 3/1/17 16:21:20.000-16:28:17.000, source=sourceA, sourceD,and keyword=itemID and the following categorization criteria: host,source, sourcetype would result in the indexer identifying eventreferences 4, 7, and 10 as satisfying the filter criteria, and generatethe following groups:

-   -   Group 1 (hostA, sourceA, sourcetypeC): 1 (event reference 4)    -   Group 2 (hostA, sourceA, sourcetypeA): 1 (event reference 7)    -   Group 3 (hostB, sourceD, sourcetypeC): 1 (event references 10)

The indexer communicates the groups to the search head for aggregationwith results received from other indexers. As will be understand thereare myriad ways for filtering and categorizing the events and eventreferences. For example, the indexer can review multiple invertedindexes associated with a partition or review the inverted indexes ofmultiple partitions, and categorize the data using any one or anycombination of partition, host, source, sourcetype, or other category,as desired.

Further, if a user interacts with a particular group, the indexer canprovide additional information regarding the group. For example, theindexer can perform a targeted search or sampling of the events thatsatisfy the filter criteria and the categorization criteria for theselected group, also referred to as the filter criteria corresponding tothe group or filter criteria associated with the group.

In some cases, to provide the additional information, the indexer relieson the inverted index. For example, the indexer can identify the eventreferences associated with the events that satisfy the filter criteriaand the categorization criteria for the selected group and then use theevent reference array 515 to access some or all of the identifiedevents. In some cases, the categorization criteria values orcategorization criteria-value pairs associated with the group becomepart of the filter criteria for the review.

With reference to FIG. 5B for instance, suppose a group is displayedwith a count of six corresponding to event references 4, 5, 6, 8, 10, 11(i.e., event references 4, 5, 6, 8, 10, 11 satisfy the filter criteriaand are associated with matching categorization criteria values orcategorization criteria-value pairs) and a user interacts with the group(e.g., selecting the group, clicking on the group, etc.). In response,the search head communicates with the indexer to provide additionalinformation regarding the group.

In some embodiments, the indexer identifies the event referencesassociated with the group using the filter criteria and thecategorization criteria for the group (e.g., categorization criteriavalues or categorization criteria-value pairs unique to the group).Together, the filter criteria and the categorization criteria for thegroup can be referred to as the filter criteria associated with thegroup. Using the filter criteria associated with the group, the indexeridentifies event references 4, 5, 6, 8, 10, 11.

Based on a sampling criteria, discussed in greater detail above, theindexer can determine that it will analyze a sample of the eventsassociated with the event references 4, 5, 6, 8, 10, 11. For example,the sample can include analyzing event data associated with the eventreferences 5, 8, 10. In some embodiments, the indexer can use the eventreference array 515 to access the event data associated with the eventreferences 5, 8, 10. Once accessed, the indexer can compile the relevantinformation and provide it to the search head for aggregation withresults from other indexers. By identifying events and sampling eventdata using the inverted indexes, the indexer can reduce the amount ofactual data this is analyzed and the number of events that are accessedin order to generate the summary of the group and provide a response inless time.

FIG. 6A is a flow diagram of an example method that illustrates how asearch head and indexers perform a search query, in accordance withexample embodiments. At block 602, a search head receives a search queryfrom a client. At block 604, the search head analyzes the search queryto determine what portion(s) of the query can be delegated to indexersand what portions of the query can be executed locally by the searchhead. At block 606, the search head distributes the determined portionsof the query to the appropriate indexers. In some embodiments, a searchhead cluster may take the place of an independent search head where eachsearch head in the search head cluster coordinates with peer searchheads in the search head cluster to schedule jobs, replicate searchresults, update configurations, fulfill search requests, etc. In someembodiments, the search head (or each search head) communicates with amaster node (also known as a cluster master, not shown in FIG. 2 ) thatprovides the search head with a list of indexers to which the searchhead can distribute the determined portions of the query. The masternode maintains a list of active indexers and can also designate whichindexers may have responsibility for responding to queries over certainsets of events. A search head may communicate with the master nodebefore the search head distributes queries to indexers to discover theaddresses of active indexers.

At block 608, the indexers to which the query was distributed, searchdata stores associated with them for events that are responsive to thequery. To determine which events are responsive to the query, theindexer searches for events that match the criteria specified in thequery. These criteria can include matching keywords or specific valuesfor certain fields. The searching operations at block 608 may use thelate-binding schema to extract values for specified fields from eventsat the time the query is processed. In some embodiments, one or morerules for extracting field values may be specified as part of a sourcetype definition in a configuration file. The indexers may then eithersend the relevant events back to the search head, or use the events todetermine a partial result, and send the partial result back to thesearch head.

At block 610, the search head combines the partial results and/or eventsreceived from the indexers to produce a final result for the query. Insome examples, the results of the query are indicative of performance orsecurity of the IT environment and may help improve the performance ofcomponents in the IT environment. This final result may comprisedifferent types of data depending on what the query requested. Forexample, the results can include a listing of matching events returnedby the query, or some type of visualization of the data from thereturned events. In another example, the final result can include one ormore calculated values derived from the matching events.

The results generated by the system 108 can be returned to a clientusing different techniques. For example, one technique streams resultsor relevant events back to a client in real-time as they are identified.Another technique waits to report the results to the client until acomplete set of results (which may include a set of relevant events or aresult based on relevant events) is ready to return to the client. Yetanother technique streams interim results or relevant events back to theclient in real-time until a complete set of results is ready, and thenreturns the complete set of results to the client. In another technique,certain results are stored as “search jobs” and the client may retrievethe results by referring the search jobs.

The search head can also perform various operations to make the searchmore efficient. For example, before the search head begins execution ofa query, the search head can determine a time range for the query and aset of common keywords that all matching events include. The search headmay then use these parameters to query the indexers to obtain a supersetof the eventual results. Then, during a filtering stage, the search headcan perform field-extraction operations on the superset to produce areduced set of search results. This speeds up queries, which may beparticularly helpful for queries that are performed on a periodic basis.

Various embodiments of the present disclosure can be implemented using,or in conjunction with, a pipelined command language. A pipelinedcommand language is a language in which a set of inputs or data isoperated on by a first command in a sequence of commands, and thensubsequent commands in the order they are arranged in the sequence. Suchcommands can include any type of functionality for operating on data,such as retrieving, searching, filtering, aggregating, processing,transmitting, and the like. As described herein, a query can thus beformulated in a pipelined command language and include any number ofordered or unordered commands for operating on data.

Splunk Processing Language (SPL) is an example of a pipelined commandlanguage in which a set of inputs or data is operated on by any numberof commands in a particular sequence. A sequence of commands, or commandsequence, can be formulated such that the order in which the commandsare arranged defines the order in which the commands are applied to aset of data or the results of an earlier executed command. For example,a first command in a command sequence can operate to search or filterfor specific data in particular set of data. The results of the firstcommand can then be passed to another command listed later in thecommand sequence for further processing.

In various embodiments, a query can be formulated as a command sequencedefined in a command line of a search UI. In some embodiments, a querycan be formulated as a sequence of SPL commands. Some or all of the SPLcommands in the sequence of SPL commands can be separated from oneanother by a pipe symbol “|”. In such embodiments, a set of data, suchas a set of events, can be operated on by a first SPL command in thesequence, and then a subsequent SPL command following a pipe symbol “|”after the first SPL command operates on the results produced by thefirst SPL command or other set of data, and so on for any additional SPLcommands in the sequence. As such, a query formulated using SPLcomprises a series of consecutive commands that are delimited by pipe“|” characters. The pipe character indicates to the system that theoutput or result of one command (to the left of the pipe) should be usedas the input for one of the subsequent commands (to the right of thepipe). This enables formulation of queries defined by a pipeline ofsequenced commands that refines or enhances the data at each step alongthe pipeline until the desired results are attained. Accordingly,various embodiments described herein can be implemented with SplunkProcessing Language (SPL) used in conjunction with the SPLUNK®ENTERPRISE system.

While a query can be formulated in many ways, a query can start with asearch command and one or more corresponding search terms at thebeginning of the pipeline. Such search terms can include any combinationof keywords, phrases, times, dates, Boolean expressions, fieldname-fieldvalue pairs, etc. that specify which results should be obtained from anindex. The results can then be passed as inputs into subsequent commandsin a sequence of commands by using, for example, a pipe character. Thesubsequent commands in a sequence can include directives for additionalprocessing of the results once it has been obtained from one or moreindexes. For example, commands may be used to filter unwantedinformation out of the results, extract more information, evaluate fieldvalues, calculate statistics, reorder the results, create an alert,create summary of the results, or perform some type of aggregationfunction. In some embodiments, the summary can include a graph, chart,metric, or other visualization of the data. An aggregation function caninclude analysis or calculations to return an aggregate value, such asan average value, a sum, a maximum value, a root mean square,statistical values, and the like.

Due to its flexible nature, use of a pipelined command language invarious embodiments is advantageous because it can perform “filtering”as well as “processing” functions. In other words, a single query caninclude a search command and search term expressions, as well asdata-analysis expressions. For example, a command at the beginning of aquery can perform a “filtering” step by retrieving a set of data basedon a condition (e.g., records associated with server response times ofless than 1 microsecond). The results of the filtering step can then bepassed to a subsequent command in the pipeline that performs a“processing” step (e.g., calculation of an aggregate value related tothe filtered events such as the average response time of servers withresponse times of less than 1 microsecond). Furthermore, the searchcommand can allow events to be filtered by keyword as well as fieldvalue criteria. For example, a search command can filter out all eventscontaining the word “warning” or filter out all events where a fieldvalue associated with a field “clientip” is “10.0.1.2.”

The results obtained or generated in response to a command in a querycan be considered a set of results data. The set of results data can bepassed from one command to another in any data format. In oneembodiment, the set of result data can be in the form of a dynamicallycreated table. Each command in a particular query can redefine the shapeof the table. In some implementations, an event retrieved from an indexin response to a query can be considered a row with a column for eachfield value. Columns contain basic information about the data and alsomay contain data that has been dynamically extracted at search time.

FIG. 6B provides a visual representation of the manner in which apipelined command language or query operates in accordance with thedisclosed embodiments. The query 630 can be inputted by the user into asearch. The query comprises a search, the results of which are piped totwo commands (namely, command 1 and command 2) that follow the searchstep.

Disk 622 represents the event data in the raw record data store.

When a user query is processed, a search step will precede other queriesin the pipeline in order to generate a set of events at block 640. Forexample, the query can comprise search terms “sourcetype=syslog ERROR”at the front of the pipeline as shown in FIG. 6B. Intermediate resultstable 624 shows fewer rows because it represents the subset of eventsretrieved from the index that matched the search terms“sourcetype=syslog ERROR” from search command 630. By way of furtherexample, instead of a search step, the set of events at the head of thepipeline may be generating by a call to a pre-existing inverted index(as will be explained later).

At block 642, the set of events generated in the first part of the querymay be piped to a query that searches the set of events for field-valuepairs or for keywords. For example, the second intermediate resultstable 626 shows fewer columns, representing the result of the topcommand, “top user” which summarizes the events into a list of the top10 users and displays the user, count, and percentage.

Finally, at block 644, the results of the prior stage can be pipelinedto another stage where further filtering or processing of the data canbe performed, e.g., preparing the data for display purposes, filteringthe data based on a condition, performing a mathematical calculationwith the data, etc. As shown in FIG. 6B, the “fields—percent” part ofcommand 630 removes the column that shows the percentage, thereby,leaving a final results table 628 without a percentage column. Indifferent embodiments, other query languages, such as the StructuredQuery Language (“SQL”), can be used to create a query.

The search head 210 allows users to search and visualize eventsgenerated from machine data received from homogenous data sources. Thesearch head 210 also allows users to search and visualize eventsgenerated from machine data received from heterogeneous data sources.The search head 210 includes various mechanisms, which may additionallyreside in an indexer 206, for processing a query. A query language maybe used to create a query, such as any suitable pipelined querylanguage. For example, Splunk Processing Language (SPL) can be utilizedto make a query. SPL is a pipelined search language in which a set ofinputs is operated on by a first command in a command line, and then asubsequent command following the pipe symbol “|” operates on the resultsproduced by the first command, and so on for additional commands. Otherquery languages, such as the Structured Query Language (“SQL”), can beused to create a query.

In response to receiving the search query, search head 210 usesextraction rules to extract values for fields in the events beingsearched. The search head 210 obtains extraction rules that specify howto extract a value for fields from an event. Extraction rules cancomprise regex rules that specify how to extract values for the fieldscorresponding to the extraction rules. In addition to specifying how toextract field values, the extraction rules may also include instructionsfor deriving a field value by performing a function on a characterstring or value retrieved by the extraction rule. For example, anextraction rule may truncate a character string or convert the characterstring into a different data format. In some cases, the query itself canspecify one or more extraction rules.

The search head 210 can apply the extraction rules to events that itreceives from indexers 206. Indexers 206 may apply the extraction rulesto events in an associated data store 208. Extraction rules can beapplied to all the events in a data store or to a subset of the eventsthat have been filtered based on some criteria (e.g., event time stampvalues, etc.). Extraction rules can be used to extract one or morevalues for a field from events by parsing the portions of machine datain the events and examining the data for one or more patterns ofcharacters, numbers, delimiters, etc., that indicate where the fieldbegins and, optionally, ends.

FIG. 7A is a diagram of an example scenario where a common customeridentifier is found among log data received from three disparate datasources, in accordance with example embodiments. In this example, a usersubmits an order for merchandise using a vendor's shopping applicationprogram 701 running on the user's system. In this example, the order wasnot delivered to the vendor's server due to a resource exception at thedestination server that is detected by the middleware code 702. The userthen sends a message to the customer support server 703 to complainabout the order failing to complete. The three systems 701, 702, and 703are disparate systems that do not have a common logging format. Theorder application 701 sends log data 704 to the data intake and querysystem in one format, the middleware code 702 sends error log data 705in a second format, and the support server 703 sends log data 706 in athird format.

Using the log data received at one or more indexers 206 from the threesystems, the vendor can uniquely obtain an insight into user activity,user experience, and system behavior. The search head 210 allows thevendor's administrator to search the log data from the three systemsthat one or more indexers 206 are responsible for searching, therebyobtaining correlated information, such as the order number andcorresponding customer ID number of the person placing the order. Thesystem also allows the administrator to see a visualization of relatedevents via a user interface. The administrator can query the search head210 for customer ID field value matches across the log data from thethree systems that are stored at the one or more indexers 206. Thecustomer ID field value exists in the data gathered from the threesystems, but the customer ID field value may be located in differentareas of the data given differences in the architecture of the systems.There is a semantic relationship between the customer ID field valuesgenerated by the three systems. The search head 210 requests events fromthe one or more indexers 206 to gather relevant events from the threesystems. The search head 210 then applies extraction rules to the eventsin order to extract field values that it can correlate. The search headmay apply a different extraction rule to each set of events from eachsystem when the event format differs among systems. In this example, theuser interface can display to the administrator the events correspondingto the common customer ID field values 707, 708, and 709, therebyproviding the administrator with insight into a customer's experience.

Note that query results can be returned to a client, a search head, orany other system component for further processing. In general, queryresults may include a set of one or more events, a set of one or morevalues obtained from the events, a subset of the values, statisticscalculated based on the values, a report containing the values, avisualization (e.g., a graph or chart) generated from the values, andthe like.

The search system enables users to run queries against the stored datato retrieve events that meet criteria specified in a query, such ascontaining certain keywords or having specific values in defined fields.FIG. 7B illustrates the manner in which keyword searches and fieldsearches are processed in accordance with disclosed embodiments.

If a user inputs a search query into search bar 710 that includes onlykeywords (also known as “tokens”), e.g., the keyword “error” or“warning”, the query search engine of the data intake and query systemsearches for those keywords directly in the event data 711 stored in theraw record data store. Note that while FIG. 7B only illustrates fourevents 712, 713, 714, 715, the raw record data store (corresponding todata store 208 in FIG. 2 ) may contain records for millions of events.

As disclosed above, an indexer can optionally generate a keyword indexto facilitate fast keyword searching for event data. The indexerincludes the identified keywords in an index, which associates eachstored keyword with reference pointers to events containing that keyword(or to locations within events where that keyword is located, otherlocation identifiers, etc.). When an indexer subsequently receives akeyword-based query, the indexer can access the keyword index to quicklyidentify events containing the keyword. For example, if the keyword“HTTP” was indexed by the indexer at index time, and the user searchesfor the keyword “HTTP”, the events 712, 713, and 714, will be identifiedbased on the results returned from the keyword index. As noted above,the index contains reference pointers to the events containing thekeyword, which allows for efficient retrieval of the relevant eventsfrom the raw record data store.

If a user searches for a keyword that has not been indexed by theindexer, the data intake and query system would nevertheless be able toretrieve the events by searching the event data for the keyword in theraw record data store directly as shown in FIG. 7B. For example, if auser searches for the keyword “frank”, and the name “frank” has not beenindexed at index time, the data intake and query system will search theevent data directly and return the first event 712. Note that whetherthe keyword has been indexed at index time or not, in both cases the rawdata of the events 712-715 is accessed from the raw data record store toservice the keyword search. In the case where the keyword has beenindexed, the index will contain a reference pointer that will allow fora more efficient retrieval of the event data from the data store. If thekeyword has not been indexed, the search engine will need to searchthrough all the records in the data store to service the search.

In most cases, however, in addition to keywords, a user's search willalso include fields. The term “field” refers to a location in the eventdata containing one or more values for a specific data item. Often, afield is a value with a fixed, delimited position on a line, or a nameand value pair, where there is a single value to each field name. Afield can also be multivalued, that is, it can appear more than once inan event and have a different value for each appearance, e.g., emailaddress fields. Fields are searchable by the field name or fieldname-value pairs. Some examples of fields are “clientip” for IPaddresses accessing a web server, or the “From” and “To” fields in emailaddresses.

By way of further example, consider the search, “status=404”. Thissearch query finds events with “status” fields that have a value of“404.” When the search is run, the search engine does not look forevents with any other “status” value. It also does not look for eventscontaining other fields that share “404” as a value. As a result, thesearch returns a set of results that are more focused than if “404” hadbeen used in the search string as part of a keyword search. Note alsothat fields can appear in events as “key=value” pairs such as“user_name=Bob.” But in most cases, field values appear in fixed,delimited positions without identifying keys. For example, the datastore may contain events where the “user_name” value always appears byitself after the timestamp as illustrated by the following string: “Nov15 09:33:22 johnmedlock.”

The data intake and query system advantageously allows for search timefield extraction. In other words, fields can be extracted from the eventdata at search time using late-binding schema as opposed to at dataingestion time, which was a major limitation of the prior art systems.

In response to receiving the search query, search head 210 usesextraction rules to extract values for the fields associated with afield or fields in the event data being searched. The search head 210obtains extraction rules that specify how to extract a value for certainfields from an event. Extraction rules can comprise regex rules thatspecify how to extract values for the relevant fields. In addition tospecifying how to extract field values, the extraction rules may alsoinclude instructions for deriving a field value by performing a functionon a character string or value retrieved by the extraction rule. Forexample, a transformation rule may truncate a character string, orconvert the character string into a different data format. In somecases, the query itself can specify one or more extraction rules.

FIG. 7B illustrates the manner in which configuration files may be usedto configure custom fields at search time in accordance with thedisclosed embodiments. In response to receiving a search query, the dataintake and query system determines if the query references a “field.”For example, a query may request a list of events where the “clientip”field equals “127.0.0.1.” If the query itself does not specify anextraction rule and if the field is not a metadata field, e.g., time,host, source, source type, etc., then in order to determine anextraction rule, the search engine may, in one or more embodiments, needto locate configuration file 716 during the execution of the search asshown in FIG. 7B.

Configuration file 716 may contain extraction rules for all the variousfields that are not metadata fields, e.g., the “clientip” field. Theextraction rules may be inserted into the configuration file in avariety of ways. In some embodiments, the extraction rules can compriseregular expression rules that are manually entered in by the user.Regular expressions match patterns of characters in text and are usedfor extracting custom fields in text.

In one or more embodiments, as noted above, a field extractor may beconfigured to automatically generate extraction rules for certain fieldvalues in the events when the events are being created, indexed, orstored, or possibly at a later time. In one embodiment, a user may beable to dynamically create custom fields by highlighting portions of asample event that should be extracted as fields using a graphical userinterface. The system would then generate a regular expression thatextracts those fields from similar events and store the regularexpression as an extraction rule for the associated field in theconfiguration file 716.

In some embodiments, the indexers may automatically discover certaincustom fields at index time and the regular expressions for those fieldswill be automatically generated at index time and stored as part ofextraction rules in configuration file 716. For example, fields thatappear in the event data as “key=value” pairs may be automaticallyextracted as part of an automatic field discovery process. Note thatthere may be several other ways of adding field definitions toconfiguration files in addition to the methods discussed herein.

The search head 210 can apply the extraction rules derived fromconfiguration file 716 to event data that it receives from indexers 206.Indexers 206 may apply the extraction rules from the configuration fileto events in an associated data store 208. Extraction rules can beapplied to all the events in a data store, or to a subset of the eventsthat have been filtered based on some criteria (e.g., event time stampvalues, etc.). Extraction rules can be used to extract one or morevalues for a field from events by parsing the event data and examiningthe event data for one or more patterns of characters, numbers,delimiters, etc., that indicate where the field begins and, optionally,ends.

In one more embodiments, the extraction rule in configuration file 716will also need to define the type or set of events that the rule appliesto. Because the raw record data store will contain events from multipleheterogeneous sources, multiple events may contain the same fields indifferent locations because of discrepancies in the format of the datagenerated by the various sources. Furthermore, certain events may notcontain a particular field at all. For example, event 715 also contains“clientip” field, however, the “clientip” field is in a different formatfrom the events 712, 713, and 714. To address the discrepancies in theformat and content of the different types of events, the configurationfile will also need to specify the set of events that an extraction ruleapplies to, e.g., extraction rule 717 specifies a rule for filtering bythe type of event and contains a regular expression for parsing out thefield value. Accordingly, each extraction rule will pertain to only aparticular type of event. If a particular field, e.g., “clientip” occursin multiple events, each of those types of events would need its owncorresponding extraction rule in the configuration file 716 and each ofthe extraction rules would comprise a different regular expression toparse out the associated field value. The most common way to categorizeevents is by source type because events generated by a particular sourcecan have the same format.

The field extraction rules stored in configuration file 716 performsearch-time field extractions. For example, for a query that requests alist of events with source type “access_combined” where the “clientip”field equals “127.0.0.1,” the query search engine would first locate theconfiguration file 716 to retrieve extraction rule 717 that would allowit to extract values associated with the “clientip” field from the eventdata 720 “where the source type is “access_combined. After the“clientip” field has been extracted from all the events comprising the“clientip” field where the source type is “access_combined,” the querysearch engine can then execute the field criteria by performing thecompare operation to filter out the events where the “clientip” fieldequals “127.0.0.1.” In the example shown in FIG. 7B, the events 712,713, and 714 would be returned in response to the user query. In thismanner, the search engine can service queries containing field criteriain addition to queries containing keyword criteria (as explained above).

The configuration file can be created during indexing. It may either bemanually created by the user or automatically generated with certainpredetermined field extraction rules. As discussed above, the events maybe distributed across several indexers, wherein each indexer may beresponsible for storing and searching a subset of the events containedin a corresponding data store. In a distributed indexer system, eachindexer would need to maintain a local copy of the configuration filethat is synchronized periodically across the various indexers.

The ability to add schema to the configuration file at search timeresults in increased efficiency. A user can create new fields at searchtime and simply add field definitions to the configuration file. As auser learns more about the data in the events, the user can continue torefine the late-binding schema by adding new fields, deleting fields, ormodifying the field extraction rules in the configuration file for usethe next time the schema is used by the system. Because the data intakeand query system maintains the underlying raw data and uses late-bindingschema for searching the raw data, it enables a user to continueinvestigating and learn valuable insights about the raw data long afterdata ingestion time.

The ability to add multiple field definitions to the configuration fileat search time also results in increased flexibility. For example,multiple field definitions can be added to the configuration file tocapture the same field across events generated by different sourcetypes. This allows the data intake and query system to search andcorrelate data across heterogeneous sources flexibly and efficiently.

Further, by providing the field definitions for the queried fields atsearch time, the configuration file 716 allows the record data store tobe field searchable. In other words, the raw record data store can besearched using keywords as well as fields, wherein the fields aresearchable name/value pairings that distinguish one event from anotherand can be defined in configuration file 716 using extraction rules. Incomparison to a search containing field names, a keyword search does notneed the configuration file and can search the event data directly asshown in FIG. 7B.

It should also be noted that any events filtered out by performing asearch-time field extraction using a configuration file can be furtherprocessed by directing the results of the filtering step to a processingstep using a pipelined search language. Using the prior example, a usercould pipeline the results of the compare step to an aggregate functionby asking the query search engine to count the number of events wherethe “clientip” field equals “127.0.0.1.”

FIG. 8A is an interface diagram of an example user interface for asearch screen 800, in accordance with example embodiments. Search screen800 includes a search bar 802 that accepts user input in the form of asearch string. It also includes a time range picker 812 that enables theuser to specify a time range for the search. For historical searches(e.g., searches based on a particular historical time range), the usercan select a specific time range, or alternatively a relative timerange, such as “today,” “yesterday” or “last week.” For real-timesearches (e.g., searches whose results are based on data received inreal-time), the user can select the size of a preceding time window tosearch for real-time events. Search screen 800 also initially displays a“data summary” dialog as is illustrated in FIG. 8B that enables the userto select different sources for the events, such as by selectingspecific hosts and log files.

After the search is executed, the search screen 800 in FIG. 8A candisplay the results through search results tabs 804, wherein searchresults tabs 804 includes: an “events tab” that displays variousinformation about events returned by the search; a “statistics tab” thatdisplays statistics about the search results; and a “visualization tab”that displays various visualizations of the search results. The eventstab illustrated in FIG. 8A displays a timeline graph 805 thatgraphically illustrates the number of events that occurred in one-hourintervals over the selected time range. The events tab also displays anevents list 808 that enables a user to view the machine data in each ofthe returned events.

The events tab additionally displays a sidebar that is an interactivefield picker 806. The field picker 806 may be displayed to a user inresponse to the search being executed and allows the user to furtheranalyze the search results based on the fields in the events of thesearch results. The field picker 806 includes field names that referencefields present in the events in the search results. The field picker maydisplay any Selected Fields 820 that a user has pre-selected for display(e.g., host, source, sourcetype) and may also display any InterestingFields 822 that the system determines may be interesting to the userbased on pre-specified criteria (e.g., action, bytes, categoryid,clientip, date_hour, date_mday, date_minute, etc.). The field pickeralso provides an option to display field names for all the fieldspresent in the events of the search results using the All Fields control824.

Each field name in the field picker 806 has a value type identifier tothe left of the field name, such as value type identifier 826. A valuetype identifier identifies the type of value for the respective field,such as an “a” for fields that include literal values or a “#” forfields that include numerical values.

Each field name in the field picker also has a unique value count to theright of the field name, such as unique value count 828. The uniquevalue count indicates the number of unique values for the respectivefield in the events of the search results.

Each field name is selectable to view the events in the search resultsthat have the field referenced by that field name. For example, a usercan select the “host” field name, and the events shown in the eventslist 808 will be updated with events in the search results that have thefield that is reference by the field name “host.”

A data model is a hierarchically structured search-time mapping ofsemantic knowledge about one or more datasets. It encodes the domainknowledge used to build a variety of specialized searches of thosedatasets. Those searches, in turn, can be used to generate reports.

A data model is composed of one or more “objects” (or “data modelobjects”) that define or otherwise correspond to a specific set of data.An object is defined by constraints and attributes. An object'sconstraints are search criteria that define the set of events to beoperated on by running a search having that search criteria at the timethe data model is selected. An object's attributes are the set of fieldsto be exposed for operating on that set of events generated by thesearch criteria.

Objects in data models can be arranged hierarchically in parent/childrelationships. Each child object represents a subset of the datasetcovered by its parent object. The top-level objects in data models arecollectively referred to as “root objects.”

Child objects have inheritance. Child objects inherit constraints andattributes from their parent objects and may have additional constraintsand attributes of their own. Child objects provide a way of filteringevents from parent objects. Because a child object may provide anadditional constraint in addition to the constraints it has inheritedfrom its parent object, the dataset it represents may be a subset of thedataset that its parent represents. For example, a first data modelobject may define a broad set of data pertaining to e-mail activitygenerally, and another data model object may define specific datasetswithin the broad dataset, such as a subset of the e-mail data pertainingspecifically to e-mails sent. For example, a user can simply select an“e-mail activity” data model object to access a dataset relating toe-mails generally (e.g., sent or received), or select an “e-mails sent”data model object (or data sub-model object) to access a datasetrelating to e-mails sent.

Because a data model object is defined by its constraints (e.g., a setof search criteria) and attributes (e.g., a set of fields), a data modelobject can be used to quickly search data to identify a set of eventsand to identify a set of fields to be associated with the set of events.For example, an “e-mails sent” data model object may specify a searchfor events relating to e-mails that have been sent, and specify a set offields that are associated with the events. Thus, a user can retrieveand use the “e-mails sent” data model object to quickly search sourcedata for events relating to sent e-mails, and may be provided with alisting of the set of fields relevant to the events in a user interfacescreen.

Examples of data models can include electronic mail, authentication,databases, intrusion detection, malware, application state, alerts,compute inventory, network sessions, network traffic, performance,audits, updates, vulnerabilities, etc. Data models and their objects canbe designed by knowledge managers in an organization, and they canenable downstream users to quickly focus on a specific set of data. Auser iteratively applies a model development tool (not shown in FIG. 8A)to prepare a query that defines a subset of events and assigns an objectname to that subset. A child subset is created by further limiting aquery that generated a parent subset.

Data definitions in associated schemas can be taken from the commoninformation model (CIM) or can be devised for a particular schema andoptionally added to the CIM. Child objects inherit fields from parentsand can include fields not present in parents. A model developer canselect fewer extraction rules than are available for the sourcesreturned by the query that defines events belonging to a model.Selecting a limited set of extraction rules can be a tool forsimplifying and focusing the data model, while allowing a userflexibility to explore the data subset. Development of a data model isfurther explained in U.S. Pat. Nos. 8,788,525 and 8,788,526, bothentitled “DATA MODEL FOR MACHINE DATA FOR SEMANTIC SEARCH”, both issuedon 22 Jul. 2014, U.S. Pat. No. 8,983,994, entitled “GENERATION OF A DATAMODEL FOR SEARCHING MACHINE DATA”, issued on 17 Mar. 2015, U.S. Pat. No.9,128,980, entitled “GENERATION OF A DATA MODEL APPLIED TO QUERIES”,issued on 8 Sep. 2015, and U.S. Pat. No. 9,589,012, entitled “GENERATIONOF A DATA MODEL APPLIED TO OBJECT QUERIES”, issued on 7 Mar. 2017, eachof which is hereby incorporated by reference in its entirety for allpurposes.

A data model can also include reports. One or more report formats can beassociated with a particular data model and be made available to runagainst the data model. A user can use child objects to design reportswith object datasets that already have extraneous data pre-filtered out.In some embodiments, the data intake and query system 108 provides theuser with the ability to produce reports (e.g., a table, chart,visualization, etc.) without having to enter SPL, SQL, or other querylanguage terms into a search screen. Data models are used as the basisfor the search feature.

Data models may be selected in a report generation interface. The reportgenerator supports drag-and-drop organization of fields to be summarizedin a report. When a model is selected, the fields with availableextraction rules are made available for use in the report. The user mayrefine and/or filter search results to produce more precise reports. Theuser may select some fields for organizing the report and select otherfields for providing detail according to the report organization. Forexample, “region” and “salesperson” are fields used for organizing thereport and sales data can be summarized (subtotaled and totaled) withinthis organization. The report generator allows the user to specify oneor more fields within events and apply statistical analysis on valuesextracted from the specified one or more fields. The report generatormay aggregate search results across sets of events and generatestatistics based on aggregated search results. Building reports usingthe report generation interface is further explained in U.S. patentapplication Ser. No. 14/503,335, entitled “GENERATING REPORTS FROMUNSTRUCTURED DATA”, filed on 30 Sep. 2014, and which is herebyincorporated by reference in its entirety for all purposes. Datavisualizations also can be generated in a variety of formats, byreference to the data model. Reports, data visualizations, and datamodel objects can be saved and associated with the data model for futureuse. The data model object may be used to perform searches of otherdata.

FIGS. 9-15 are interface diagrams of example report generation userinterfaces, in accordance with example embodiments. The reportgeneration process may be driven by a predefined data model object, suchas a data model object defined and/or saved via a reporting applicationor a data model object obtained from another source. A user can load asaved data model object using a report editor. For example, the initialsearch query and fields used to drive the report editor may be obtainedfrom a data model object. The data model object that is used to drive areport generation process may define a search and a set of fields. Uponloading of the data model object, the report generation process mayenable a user to use the fields (e.g., the fields defined by the datamodel object) to define criteria for a report (e.g., filters, splitrows/columns, aggregates, etc.) and the search may be used to identifyevents (e.g., to identify events responsive to the search) used togenerate the report. That is, for example, if a data model object isselected to drive a report editor, the graphical user interface of thereport editor may enable a user to define reporting criteria for thereport using the fields associated with the selected data model object,and the events used to generate the report may be constrained to theevents that match, or otherwise satisfy, the search constraints of theselected data model object.

The selection of a data model object for use in driving a reportgeneration may be facilitated by a data model object selectioninterface. FIG. 9 illustrates an example interactive data modelselection graphical user interface 900 of a report editor that displaysa listing of available data models 901. The user may select one of thedata models 902.

FIG. 10 illustrates an example data model object selection graphicaluser interface 1000 that displays available data objects 1001 for theselected data object model 902. The user may select one of the displayeddata model objects 1002 for use in driving the report generationprocess.

Once a data model object is selected by the user, a user interfacescreen 1100 shown in FIG. 11A may display an interactive listing ofautomatic field identification options 1101 based on the selected datamodel object. For example, a user may select one of the threeillustrated options (e.g., the “All Fields” option 1102, the “SelectedFields” option 1103, or the “Coverage” option (e.g., fields with atleast a specified % of coverage) 1104). If the user selects the “AllFields” option 1102, all of the fields identified from the events thatwere returned in response to an initial search query may be selected.That is, for example, all of the fields of the identified data modelobject fields may be selected. If the user selects the “Selected Fields”option 1103, only the fields from the fields of the identified datamodel object fields that are selected by the user may be used. If theuser selects the “Coverage” option 1104, only the fields of theidentified data model object fields meeting a specified coveragecriteria may be selected. A percent coverage may refer to the percentageof events returned by the initial search query that a given fieldappears in. Thus, for example, if an object dataset includes 10,000events returned in response to an initial search query, and the“avg_age” field appears in 854 of those 10,000 events, then the“avg_age” field would have a coverage of 8.54% for that object dataset.If, for example, the user selects the “Coverage” option and specifies acoverage value of 2%, only fields having a coverage value equal to orgreater than 2% may be selected. The number of fields corresponding toeach selectable option may be displayed in association with each option.For example, “97” displayed next to the “All Fields” option 1102indicates that 97 fields will be selected if the “All Fields” option isselected. The “3” displayed next to the “Selected Fields” option 1103indicates that 3 of the 97 fields will be selected if the “SelectedFields” option is selected. The “49” displayed next to the “Coverage”option 1104 indicates that 49 of the 97 fields (e.g., the 49 fieldshaving a coverage of 2% or greater) will be selected if the “Coverage”option is selected. The number of fields corresponding to the “Coverage”option may be dynamically updated based on the specified percent ofcoverage.

FIG. 11B illustrates an example graphical user interface screen 1105displaying the reporting application's “Report Editor” page. The screenmay display interactive elements for defining various elements of areport. For example, the page includes a “Filters” element 1106, a“Split Rows” element 1107, a “Split Columns” element 1108, and a “ColumnValues” element 1109. The page may include a list of search results1111. In this example, the Split Rows element 1107 is expanded,revealing a listing of fields 1110 that can be used to define additionalcriteria (e.g., reporting criteria). The listing of fields 1110 maycorrespond to the selected fields. That is, the listing of fields 1110may list only the fields previously selected, either automaticallyand/or manually by a user. FIG. 11C illustrates a formatting dialogue1112 that may be displayed upon selecting a field from the listing offields 1110. The dialogue can be used to format the display of theresults of the selection (e.g., label the column for the selected fieldto be displayed as “component”).

FIG. 11D illustrates an example graphical user interface screen 1105including a table of results 1113 based on the selected criteriaincluding splitting the rows by the “component” field. A column 1114having an associated count for each component listed in the table may bedisplayed that indicates an aggregate count of the number of times thatthe particular field-value pair (e.g., the value in a row for aparticular field, such as the value “BucketMover” for the field“component”) occurs in the set of events responsive to the initialsearch query.

FIG. 12 illustrates an example graphical user interface screen 1200 thatallows the user to filter search results and to perform statisticalanalysis on values extracted from specific fields in the set of events.In this example, the top ten product names ranked by price are selectedas a filter 1201 that causes the display of the ten most popularproducts sorted by price. Each row is displayed by product name andprice 1202. This results in each product displayed in a column labeled“product name” along with an associated price in a column labeled“price” 1206. Statistical analysis of other fields in the eventsassociated with the ten most popular products have been specified ascolumn values 1203. A count of the number of successful purchases foreach product is displayed in column 1204. These statistics may beproduced by filtering the search results by the product name, findingall occurrences of a successful purchase in a field within the eventsand generating a total of the number of occurrences. A sum of the totalsales is displayed in column 1205, which is a result of themultiplication of the price and the number of successful purchases foreach product.

The reporting application allows the user to create graphicalvisualizations of the statistics generated for a report. For example,FIG. 13 illustrates an example graphical user interface 1300 thatdisplays a set of components and associated statistics 1301. Thereporting application allows the user to select a visualization of thestatistics in a graph (e.g., bar chart, scatter plot, area chart, linechart, pie chart, radial gauge, marker gauge, filler gauge, etc.), wherethe format of the graph may be selected using the user interfacecontrols 1302 along the left panel of the user interface 1300. FIG. 14illustrates an example of a bar chart visualization 1400 of an aspect ofthe statistical data 1301. FIG. 15 illustrates a scatter plotvisualization 1500 of an aspect of the statistical data 1301.

The above-described system provides significant flexibility by enablinga user to analyze massive quantities of minimally-processed data “on thefly” at search time using a late-binding schema, instead of storingpre-specified portions of the data in a database at ingestion time. Thisflexibility enables a user to see valuable insights, correlate data, andperform subsequent queries to examine interesting aspects of the datathat may not have been apparent at ingestion time.

However, performing extraction and analysis operations at search timecan involve a large amount of data and require a large number ofcomputational operations, which can cause delays in processing thequeries. Advantageously, the data intake and query system also employs anumber of unique acceleration techniques that have been developed tospeed up analysis operations performed at search time. These techniquesinclude: (1) performing search operations in parallel across multipleindexers; (2) using a keyword index; (3) using a high performanceanalytics store; and (4) accelerating the process of generating reports.These novel techniques are described in more detail below.

To facilitate faster query processing, a query can be structured suchthat multiple indexers perform the query in parallel, while aggregationof search results from the multiple indexers is performed locally at thesearch head. For example, FIG. 16 is an example search query receivedfrom a client and executed by search peers, in accordance with exampleembodiments. FIG. 16 illustrates how a search query 1602 received from aclient at a search head 210 can split into two phases, including: (1)subtasks 1604 (e.g., data retrieval or simple filtering) that may beperformed in parallel by indexers 206 for execution, and (2) a searchresults aggregation operation 1606 to be executed by the search headwhen the results are ultimately collected from the indexers.

During operation, upon receiving search query 1602, a search head 210determines that a portion of the operations involved with the searchquery may be performed locally by the search head. The search headmodifies search query 1602 by substituting “stats” (create aggregatestatistics over results sets received from the indexers at the searchhead) with “prestats” (create statistics by the indexer from localresults set) to produce search query 1604, and then distributes searchquery 1604 to distributed indexers, which are also referred to as“search peers” or “peer indexers.” Note that search queries maygenerally specify search criteria or operations to be performed onevents that meet the search criteria. Search queries may also specifyfield names, as well as search criteria for the values in the fields oroperations to be performed on the values in the fields. Moreover, thesearch head may distribute the full search query to the search peers asillustrated in FIG. 6A, or may alternatively distribute a modifiedversion (e.g., a more restricted version) of the search query to thesearch peers. In this example, the indexers are responsible forproducing the results and sending them to the search head. After theindexers return the results to the search head, the search headaggregates the received results 1606 to form a single search result set.By executing the query in this manner, the system effectivelydistributes the computational operations across the indexers whileminimizing data transfers.

As described above with reference to the flow charts in FIG. 5A and FIG.6A, data intake and query system 108 can construct and maintain one ormore keyword indices to quickly identify events containing specifickeywords. This technique can greatly speed up the processing of queriesinvolving specific keywords. As mentioned above, to build a keywordindex, an indexer first identifies a set of keywords. Then, the indexerincludes the identified keywords in an index, which associates eachstored keyword with references to events containing that keyword, or tolocations within events where that keyword is located. When an indexersubsequently receives a keyword-based query, the indexer can access thekeyword index to quickly identify events containing the keyword.

To speed up certain types of queries, some embodiments of system 108create a high performance analytics store, which is referred to as a“summarization table,” that contains entries for specific field-valuepairs. Each of these entries keeps track of instances of a specificvalue in a specific field in the events and includes references toevents containing the specific value in the specific field. For example,an example entry in a summarization table can keep track of occurrencesof the value “94107” in a “ZIP code” field of a set of events and theentry includes references to all of the events that contain the value“94107” in the ZIP code field. This optimization technique enables thesystem to quickly process queries that seek to determine how many eventshave a particular value for a particular field. To this end, the systemcan examine the entry in the summarization table to count instances ofthe specific value in the field without having to go through theindividual events or perform data extractions at search time. Also, ifthe system needs to process all events that have a specific field-valuecombination, the system can use the references in the summarizationtable entry to directly access the events to extract further informationwithout having to search all of the events to find the specificfield-value combination at search time.

In some embodiments, the system maintains a separate summarization tablefor each of the above-described time-specific buckets that stores eventsfor a specific time range. A bucket-specific summarization tableincludes entries for specific field-value combinations that occur inevents in the specific bucket. Alternatively, the system can maintain aseparate summarization table for each indexer. The indexer-specificsummarization table includes entries for the events in a data store thatare managed by the specific indexer. Indexer-specific summarizationtables may also be bucket-specific.

The summarization table can be populated by running a periodic querythat scans a set of events to find instances of a specific field-valuecombination, or alternatively instances of all field-value combinationsfor a specific field. A periodic query can be initiated by a user, orcan be scheduled to occur automatically at specific time intervals. Aperiodic query can also be automatically launched in response to a querythat asks for a specific field-value combination.

In some cases, when the summarization tables may not cover all of theevents that are relevant to a query, the system can use thesummarization tables to obtain partial results for the events that arecovered by summarization tables, but may also have to search throughother events that are not covered by the summarization tables to produceadditional results. These additional results can then be combined withthe partial results to produce a final set of results for the query. Thesummarization table and associated techniques are described in moredetail in U.S. Pat. No. 8,682,925, entitled “DISTRIBUTED HIGHPERFORMANCE ANALYTICS STORE”, issued on 25 Mar. 2014, U.S. Pat. No.9,128,985, entitled “SUPPLEMENTING A HIGH PERFORMANCE ANALYTICS STOREWITH EVALUATION OF INDIVIDUAL EVENTS TO RESPOND TO AN EVENT QUERY”,issued on 8 Sep. 2015, and U.S. patent application Ser. No. 14/815,973,entitled “GENERATING AND STORING SUMMARIZATION TABLES FOR SETS OFSEARCHABLE EVENTS”, filed on 1 Aug. 2015, each of which is herebyincorporated by reference in its entirety for all purposes.

To speed up certain types of queries, e.g., frequently encounteredqueries or computationally intensive queries, some embodiments of system108 create a high performance analytics store, which is referred to as a“summarization table,” (also referred to as a “lexicon” or “invertedindex”) that contains entries for specific field-value pairs. Each ofthese entries keeps track of instances of a specific value in a specificfield in the event data and includes references to events containing thespecific value in the specific field. For example, an example entry inan inverted index can keep track of occurrences of the value “94107” ina “ZIP code” field of a set of events and the entry includes referencesto all of the events that contain the value “94107” in the ZIP codefield. Creating the inverted index data structure avoids needing toincur the computational overhead each time a statistical query needs tobe run on a frequently encountered field-value pair. In order toexpedite queries, in most embodiments, the search engine will employ theinverted index separate from the raw record data store to generateresponses to the received queries.

Note that the term “summarization table” or “inverted index” as usedherein is a data structure that may be generated by an indexer thatincludes at least field names and field values that have been extractedand/or indexed from event records. An inverted index may also includereference values that point to the location(s) in the field searchabledata store where the event records that include the field may be found.Also, an inverted index may be stored using well-known compressiontechniques to reduce its storage size.

Further, note that the term “reference value” (also referred to as a“posting value”) as used herein is a value that references the locationof a source record in the field searchable data store. In someembodiments, the reference value may include additional informationabout each record, such as timestamps, record size, meta-data, or thelike. Each reference value may be a unique identifier which may be usedto access the event data directly in the field searchable data store. Insome embodiments, the reference values may be ordered based on eachevent record's timestamp. For example, if numbers are used asidentifiers, they may be sorted so event records having a latertimestamp always have a lower valued identifier than event records withan earlier timestamp, or vice-versa. Reference values are often includedin inverted indexes for retrieving and/or identifying event records.

In one or more embodiments, an inverted index is generated in responseto a user-initiated collection query. The term “collection query” asused herein refers to queries that include commands that generatesummarization information and inverted indexes (or summarization tables)from event records stored in the field searchable data store.

Note that a collection query is a special type of query that can beuser-generated and is used to create an inverted index. A collectionquery is not the same as a query that is used to call up or invoke apre-existing inverted index. In one or more embodiments, a query cancomprise an initial step that calls up a pre-generated inverted index onwhich further filtering and processing can be performed. For example,referring back to FIG. 6B, a set of events can be generated at block 640by either using a “collection” query to create a new inverted index orby calling up a pre-generated inverted index. A query with severalpipelined steps will start with a pre-generated index to accelerate thequery.

FIG. 7C illustrates the manner in which an inverted index is created andused in accordance with the disclosed embodiments. As shown in FIG. 7C,an inverted index 722 can be created in response to a user-initiatedcollection query using the event data 723 stored in the raw record datastore. For example, a non-limiting example of a collection query mayinclude “collect clientip=127.0.0.1” which may result in an invertedindex 722 being generated from the event data 723 as shown in FIG. 7C.Each entry in inverted index 722 includes an event reference value thatreferences the location of a source record in the field searchable datastore. The reference value may be used to access the original eventrecord directly from the field searchable data store.

In one or more embodiments, if one or more of the queries is acollection query, the responsive indexers may generate summarizationinformation based on the fields of the event records located in thefield searchable data store. In at least one of the various embodiments,one or more of the fields used in the summarization information may belisted in the collection query and/or they may be determined based onterms included in the collection query. For example, a collection querymay include an explicit list of fields to summarize. Or, in at least oneof the various embodiments, a collection query may include terms orexpressions that explicitly define the fields, e.g., using regex rules.In FIG. 7C, prior to running the collection query that generates theinverted index 722, the field name “clientip” may need to be defined ina configuration file by specifying the “access_combined” source type anda regular expression rule to parse out the client IP address.Alternatively, the collection query may contain an explicit definitionfor the field name “clientip” which may obviate the need to referencethe configuration file at search time.

In one or more embodiments, collection queries may be saved andscheduled to run periodically. These scheduled collection queries mayperiodically update the summarization information corresponding to thequery. For example, if the collection query that generates invertedindex 722 is scheduled to run periodically, one or more indexers wouldperiodically search through the relevant buckets to update invertedindex 722 with event data for any new events with the “clientip” valueof “127.0.0.1.”

In some embodiments, the inverted indexes that include fields, values,and reference value (e.g., inverted index 722) for event records may beincluded in the summarization information provided to the user. In otherembodiments, a user may not be interested in specific fields and valuescontained in the inverted index, but may need to perform a statisticalquery on the data in the inverted index. For example, referencing theexample of FIG. 7C rather than viewing the fields within summarizationtable 722, a user may want to generate a count of all client requestsfrom IP address “127.0.0.1.” In this case, the search engine wouldsimply return a result of “4” rather than including details about theinverted index 722 in the information provided to the user.

The pipelined search language, e.g., SPL of the SPLUNK® ENTERPRISEsystem can be used to pipe the contents of an inverted index to astatistical query using the “stats” command for example. A “stats” queryrefers to queries that generate result sets that may produce aggregateand statistical results from event records, e.g., average, mean, max,min, rms, etc. Where sufficient information is available in an invertedindex, a “stats” query may generate their result sets rapidly from thesummarization information available in the inverted index rather thandirectly scanning event records. For example, the contents of invertedindex 722 can be pipelined to a stats query, e.g., a “count” functionthat counts the number of entries in the inverted index and returns avalue of “4.” In this way, inverted indexes may enable various statsqueries to be performed absent scanning or search the event records.Accordingly, this optimization technique enables the system to quicklyprocess queries that seek to determine how many events have a particularvalue for a particular field. To this end, the system can examine theentry in the inverted index to count instances of the specific value inthe field without having to go through the individual events or performdata extractions at search time.

In some embodiments, the system maintains a separate inverted index foreach of the above-described time-specific buckets that stores events fora specific time range. A bucket-specific inverted index includes entriesfor specific field-value combinations that occur in events in thespecific bucket. Alternatively, the system can maintain a separateinverted index for each indexer. The indexer-specific inverted indexincludes entries for the events in a data store that are managed by thespecific indexer. Indexer-specific inverted indexes may also bebucket-specific. In at least one or more embodiments, if one or more ofthe queries is a stats query, each indexer may generate a partial resultset from previously generated summarization information. The partialresult sets may be returned to the search head that received the queryand combined into a single result set for the query

As mentioned above, the inverted index can be populated by running aperiodic query that scans a set of events to find instances of aspecific field-value combination, or alternatively instances of allfield-value combinations for a specific field. A periodic query can beinitiated by a user, or can be scheduled to occur automatically atspecific time intervals. A periodic query can also be automaticallylaunched in response to a query that asks for a specific field-valuecombination. In some embodiments, if summarization information is absentfrom an indexer that includes responsive event records, further actionsmay be taken, such as, the summarization information may be generated onthe fly, warnings may be provided the user, the collection queryoperation may be halted, the absence of summarization information may beignored, or the like, or combination thereof.

In one or more embodiments, an inverted index may be set up to updatecontinually. For example, the query may ask for the inverted index toupdate its result periodically, e.g., every hour. In such instances, theinverted index may be a dynamic data structure that is regularly updatedto include information regarding incoming events.

In some cases, e.g., where a query is executed before an inverted indexupdates, when the inverted index may not cover all of the events thatare relevant to a query, the system can use the inverted index to obtainpartial results for the events that are covered by inverted index, butmay also have to search through other events that are not covered by theinverted index to produce additional results on the fly. In other words,an indexer would need to search through event data on the data store tosupplement the partial results. These additional results can then becombined with the partial results to produce a final set of results forthe query. Note that in typical instances where an inverted index is notcompletely up to date, the number of events that an indexer would needto search through to supplement the results from the inverted indexwould be relatively small. In other words, the search to get the mostrecent results can be quick and efficient because only a small number ofevent records will be searched through to supplement the informationfrom the inverted index. The inverted index and associated techniquesare described in more detail in U.S. Pat. No. 8,682,925, entitled“DISTRIBUTED HIGH PERFORMANCE ANALYTICS STORE”, issued on 25 Mar. 2014,U.S. Pat. No. 9,128,985, entitled “SUPPLEMENTING A HIGH PERFORMANCEANALYTICS STORE WITH EVALUATION OF INDIVIDUAL EVENTS TO RESPOND TO ANEVENT QUERY”, filed on 31 Jan. 2014, and U.S. patent application Ser.No. 14/815,973, entitled “STORAGE MEDIUM AND CONTROL DEVICE”, filed on21 Feb. 2014, each of which is hereby incorporated by reference in itsentirety.

In one or more embodiments, if the system needs to process all eventsthat have a specific field-value combination, the system can use thereferences in the inverted index entry to directly access the events toextract further information without having to search all of the eventsto find the specific field-value combination at search time. In otherwords, the system can use the reference values to locate the associatedevent data in the field searchable data store and extract furtherinformation from those events, e.g., extract further field values fromthe events for purposes of filtering or processing or both.

The information extracted from the event data using the reference valuescan be directed for further filtering or processing in a query using thepipeline search language. The pipelined search language will, in oneembodiment, include syntax that can direct the initial filtering step ina query to an inverted index. In one embodiment, a user would includesyntax in the query that explicitly directs the initial searching orfiltering step to the inverted index.

Referencing the example in FIG. 7C, if the user determines that sheneeds the user id fields associated with the client requests from IPaddress “127.0.0.1,” instead of incurring the computational overhead ofperforming a brand new search or re-generating the inverted index withan additional field, the user can generate a query that explicitlydirects or pipes the contents of the already generated inverted index722 to another filtering step requesting the user ids for the entries ininverted index 722 where the server response time is greater than“0.0900” microseconds. The search engine would use the reference valuesstored in inverted index 722 to retrieve the event data from the fieldsearchable data store, filter the results based on the “response time”field values and, further, extract the user id field from the resultingevent data to return to the user. In the present instance, the user ids“frank” and “carlos” would be returned to the user from the generatedresults table 722.

In one embodiment, the same methodology can be used to pipe the contentsof the inverted index to a processing step. In other words, the user isable to use the inverted index to efficiently and quickly performaggregate functions on field values that were not part of the initiallygenerated inverted index. For example, a user may want to determine anaverage object size (size of the requested gif) requested by clientsfrom IP address “127.0.0.1.” In this case, the search engine would againuse the reference values stored in inverted index 722 to retrieve theevent data from the field searchable data store and, further, extractthe object size field values from the associated events 731, 732, 733and 734. Once, the corresponding object sizes have been extracted (i.e.2326, 2900, 2920, and 5000), the average can be computed and returned tothe user.

In one embodiment, instead of explicitly invoking the inverted index ina user-generated query, e.g., by the use of special commands or syntax,the SPLUNK® ENTERPRISE system can be configured to automaticallydetermine if any prior-generated inverted index can be used to expeditea user query. For example, the user's query may request the averageobject size (size of the requested gif) requested by clients from IPaddress “127.0.0.1.” without any reference to or use of inverted index722. The search engine, in this case, would automatically determine thatan inverted index 722 already exists in the system that could expeditethis query. In one embodiment, prior to running any search comprising afield-value pair, for example, a search engine may search though all theexisting inverted indexes to determine if a pre-generated inverted indexcould be used to expedite the search comprising the field-value pair.Accordingly, the search engine would automatically use the pre-generatedinverted index, e.g., index 722 to generate the results without anyuser-involvement that directs the use of the index.

Using the reference values in an inverted index to be able to directlyaccess the event data in the field searchable data store and extractfurther information from the associated event data for further filteringand processing is highly advantageous because it avoids incurring thecomputation overhead of regenerating the inverted index with additionalfields or performing a new search.

The data intake and query system includes one or more forwarders thatreceive raw machine data from a variety of input data sources, and oneor more indexers that process and store the data in one or more datastores. By distributing events among the indexers and data stores, theindexers can analyze events for a query in parallel. In one or moreembodiments, a multiple indexer implementation of the search systemwould maintain a separate and respective inverted index for each of theabove-described time-specific buckets that stores events for a specifictime range. A bucket-specific inverted index includes entries forspecific field-value combinations that occur in events in the specificbucket. As explained above, a search head would be able to correlate andsynthesize data from across the various buckets and indexers.

This feature advantageously expedites searches because instead ofperforming a computationally intensive search in a centrally locatedinverted index that catalogues all the relevant events, an indexer isable to directly search an inverted index stored in a bucket associatedwith the time-range specified in the query. This allows the search to beperformed in parallel across the various indexers. Further, if the queryrequests further filtering or processing to be conducted on the eventdata referenced by the locally stored bucket-specific inverted index,the indexer is able to simply access the event records stored in theassociated bucket for further filtering and processing instead ofneeding to access a central repository of event records, which woulddramatically add to the computational overhead.

In one embodiment, there may be multiple buckets associated with thetime-range specified in a query. If the query is directed to an invertedindex, or if the search engine automatically determines that using aninverted index would expedite the processing of the query, the indexerswill search through each of the inverted indexes associated with thebuckets for the specified time-range. This feature allows the HighPerformance Analytics Store to be scaled easily.

In certain instances, where a query is executed before a bucket-specificinverted index updates, when the bucket-specific inverted index may notcover all of the events that are relevant to a query, the system can usethe bucket-specific inverted index to obtain partial results for theevents that are covered by bucket-specific inverted index, but may alsohave to search through the event data in the bucket associated with thebucket-specific inverted index to produce additional results on the fly.In other words, an indexer would need to search through event datastored in the bucket (that was not yet processed by the indexer for thecorresponding inverted index) to supplement the partial results from thebucket-specific inverted index.

FIG. 7D presents a flowchart illustrating how an inverted index in apipelined search query can be used to determine a set of event data thatcan be further limited by filtering or processing in accordance with thedisclosed embodiments.

At block 742, a query is received by a data intake and query system. Insome embodiments, the query can be received as a user generated queryentered into search bar of a graphical user search interface. The searchinterface also includes a time range control element that enablesspecification of a time range for the query.

At block 744, an inverted index is retrieved. Note, that the invertedindex can be retrieved in response to an explicit user search commandinputted as part of the user generated query. Alternatively, the searchengine can be configured to automatically use an inverted index if itdetermines that using the inverted index would expedite the servicing ofthe user generated query. Each of the entries in an inverted index keepstrack of instances of a specific value in a specific field in the eventdata and includes references to events containing the specific value inthe specific field. In order to expedite queries, in most embodiments,the search engine will employ the inverted index separate from the rawrecord data store to generate responses to the received queries.

At block 746, the query engine determines if the query contains furtherfiltering and processing steps. If the query contains no furthercommands, then, in one embodiment, summarization information can beprovided to the user at block 754.

If, however, the query does contain further filtering and processingcommands, then at block 750, the query engine determines if the commandsrelate to further filtering or processing of the data extracted as partof the inverted index or whether the commands are directed to using theinverted index as an initial filtering step to further filter andprocess event data referenced by the entries in the inverted index. Ifthe query can be completed using data already in the generated invertedindex, then the further filtering or processing steps, e.g., a “count”number of records function, “average” number of records per hour etc.are performed and the results are provided to the user at block 752.

If, however, the query references fields that are not extracted in theinverted index, then the indexers will access event data pointed to bythe reference values in the inverted index to retrieve any furtherinformation required at block 756. Subsequently, any further filteringor processing steps are performed on the fields extracted directly fromthe event data and the results are provided to the user at step 758.

In some embodiments, a data server system such as the data intake andquery system can accelerate the process of periodically generatingupdated reports based on query results. To accelerate this process, asummarization engine automatically examines the query to determinewhether generation of updated reports can be accelerated by creatingintermediate summaries. If reports can be accelerated, the summarizationengine periodically generates a summary covering data obtained during alatest non-overlapping time period. For example, where the query seeksevents meeting a specified criteria, a summary for the time periodincludes only events within the time period that meet the specifiedcriteria. Similarly, if the query seeks statistics calculated from theevents, such as the number of events that match the specified criteria,then the summary for the time period includes the number of events inthe period that match the specified criteria.

In addition to the creation of the summaries, the summarization engineschedules the periodic updating of the report associated with the query.During each scheduled report update, the query engine determines whetherintermediate summaries have been generated covering portions of the timeperiod covered by the report update. If so, then the report is generatedbased on the information contained in the summaries. Also, if additionalevent data has been received and has not yet been summarized, and isrequired to generate the complete report, the query can be run on theseadditional events. Then, the results returned by this query on theadditional events, along with the partial results obtained from theintermediate summaries, can be combined to generate the updated report.This process is repeated each time the report is updated. Alternatively,if the system stores events in buckets covering specific time ranges,then the summaries can be generated on a bucket-by-bucket basis. Notethat producing intermediate summaries can save the work involved inre-running the query for previous time periods, so advantageously onlythe newer events needs to be processed while generating an updatedreport. These report acceleration techniques are described in moredetail in U.S. Pat. No. 8,589,403, entitled “COMPRESSED JOURNALING INEVENT TRACKING FILES FOR METADATA RECOVERY AND REPLICATION”, issued on19 Nov. 2013, U.S. Pat. No. 8,412,696, entitled “REAL TIME SEARCHING ANDREPORTING”, issued on 2 Apr. 2011, and U.S. Pat. Nos. 8,589,375 and8,589,432, both also entitled “REAL TIME SEARCHING AND REPORTING”, bothissued on 19 Nov. 2013, each of which is hereby incorporated byreference in its entirety for all purposes.

The data intake and query system provides various schemas, dashboards,and visualizations that simplify developers' tasks to createapplications with additional capabilities. One such application is anenterprise security application, such as SPLUNK® ENTERPRISE SECURITY,which performs monitoring and alerting operations and includes analyticsto facilitate identifying both known and unknown security threats basedon large volumes of data stored by the data intake and query system. Theenterprise security application provides the security practitioner withvisibility into security-relevant threats found in the enterpriseinfrastructure by capturing, monitoring, and reporting on data fromenterprise security devices, systems, and applications. Through the useof the data intake and query system searching and reportingcapabilities, the enterprise security application provides a top-downand bottom-up view of an organization's security posture.

The enterprise security application leverages the data intake and querysystem search-time normalization techniques, saved searches, andcorrelation searches to provide visibility into security-relevantthreats and activity and generate notable events for tracking. Theenterprise security application enables the security practitioner toinvestigate and explore the data to find new or unknown threats that donot follow signature-based patterns.

Conventional Security Information and Event Management (SIEM) systemslack the infrastructure to effectively store and analyze large volumesof security-related data. Traditional SIEM systems typically use fixedschemas to extract data from pre-defined security-related fields at dataingestion time and store the extracted data in a relational database.This traditional data extraction process (and associated reduction indata size) that occurs at data ingestion time inevitably hampers futureincident investigations that may need original data to determine theroot cause of a security issue, or to detect the onset of an impendingsecurity threat.

In contrast, the enterprise security application system stores largevolumes of minimally-processed security-related data at ingestion timefor later retrieval and analysis at search time when a live securitythreat is being investigated. To facilitate this data retrieval process,the enterprise security application provides pre-specified schemas forextracting relevant values from the different types of security-relatedevents and enables a user to define such schemas.

The enterprise security application can process many types ofsecurity-related information. In general, this security-relatedinformation can include any information that can be used to identifysecurity threats. For example, the security-related information caninclude network-related information, such as IP addresses, domain names,asset identifiers, network traffic volume, uniform resource locatorstrings, and source addresses. The process of detecting security threatsfor network-related information is further described in U.S. Pat. No.8,826,434, entitled “SECURITY THREAT DETECTION BASED ON INDICATIONS INBIG DATA OF ACCESS TO NEWLY REGISTERED DOMAINS”, issued on 2 Sep. 2014,U.S. Pat. No. 9,215,240, entitled “INVESTIGATIVE AND DYNAMIC DETECTIONOF POTENTIAL SECURITY-THREAT INDICATORS FROM EVENTS IN BIG DATA”, issuedon 15 Dec. 2015, U.S. Pat. No. 9,173,801, entitled “GRAPHIC DISPLAY OFSECURITY THREATS BASED ON INDICATIONS OF ACCESS TO NEWLY REGISTEREDDOMAINS”, issued on 3 Nov. 2015, U.S. Pat. No. 9,248,068, entitled“SECURITY THREAT DETECTION OF NEWLY REGISTERED DOMAINS”, issued on 2Feb. 2016, U.S. Pat. No. 9,426,172, entitled “SECURITY THREAT DETECTIONUSING DOMAIN NAME ACCESSES”, issued on 23 Aug. 2016, and U.S. Pat. No.9,432,396, entitled “SECURITY THREAT DETECTION USING DOMAIN NAMEREGISTRATIONS”, issued on 30 Aug. 2016, each of which is herebyincorporated by reference in its entirety for all purposes.Security-related information can also include malware infection data andsystem configuration information, as well as access control information,such as login/logout information and access failure notifications. Thesecurity-related information can originate from various sources within adata center, such as hosts, virtual machines, storage devices andsensors. The security-related information can also originate fromvarious sources in a network, such as routers, switches, email servers,proxy servers, gateways, firewalls and intrusion-detection systems.

During operation, the enterprise security application facilitatesdetecting “notable events” that are likely to indicate a securitythreat. A notable event represents one or more anomalous incidents, theoccurrence of which can be identified based on one or more events (e.g.,time stamped portions of raw machine data) fulfilling pre-specifiedand/or dynamically-determined (e.g., based on machine-learning) criteriadefined for that notable event. Examples of notable events include therepeated occurrence of an abnormal spike in network usage over a periodof time, a single occurrence of unauthorized access to system, a hostcommunicating with a server on a known threat list, and the like. Thesenotable events can be detected in a number of ways, such as: (1) a usercan notice a correlation in events and can manually identify that acorresponding group of one or more events amounts to a notable event; or(2) a user can define a “correlation search” specifying criteria for anotable event, and every time one or more events satisfy the criteria,the application can indicate that the one or more events correspond to anotable event; and the like. A user can alternatively select apre-defined correlation search provided by the application. Note thatcorrelation searches can be run continuously or at regular intervals(e.g., every hour) to search for notable events. Upon detection, notableevents can be stored in a dedicated “notable events index,” which can besubsequently accessed to generate various visualizations containingsecurity-related information. Also, alerts can be generated to notifysystem operators when important notable events are discovered.

The enterprise security application provides various visualizations toaid in discovering security threats, such as a “key indicators view”that enables a user to view security metrics, such as counts ofdifferent types of notable events. For example, FIG. 17A illustrates anexample key indicators view 1700 that comprises a dashboard, which candisplay a value 1701, for various security-related metrics, such asmalware infections 1702. It can also display a change in a metric value1703, which indicates that the number of malware infections increased by63 during the preceding interval. Key indicators view 1700 additionallydisplays a histogram panel 1704 that displays a histogram of notableevents organized by urgency values, and a histogram of notable eventsorganized by time intervals. This key indicators view is described infurther detail in pending U.S. patent application Ser. No. 13/956,338,entitled “KEY INDICATORS VIEW”, filed on 31 Jul. 2013, and which ishereby incorporated by reference in its entirety for all purposes.

These visualizations can also include an “incident review dashboard”that enables a user to view and act on “notable events.” These notableevents can include: (1) a single event of high importance, such as anyactivity from a known web attacker; or (2) multiple events thatcollectively warrant review, such as a large number of authenticationfailures on a host followed by a successful authentication. For example,FIG. 17B illustrates an example incident review dashboard 1710 thatincludes a set of incident attribute fields 1711 that, for example,enables a user to specify a time range field 1712 for the displayedevents. It also includes a timeline 1713 that graphically illustratesthe number of incidents that occurred in time intervals over theselected time range. It additionally displays an events list 1714 thatenables a user to view a list of all of the notable events that matchthe criteria in the incident attributes fields 1711. To facilitateidentifying patterns among the notable events, each notable event can beassociated with an urgency value (e.g., low, medium, high, critical),which is indicated in the incident review dashboard. The urgency valuefor a detected event can be determined based on the severity of theevent and the priority of the system component associated with theevent.

As mentioned above, the data intake and query platform provides variousfeatures that simplify the developer's task to create variousapplications. One such application is a virtual machine monitoringapplication, such as SPLUNK® APP FOR VMWARE® that provides operationalvisibility into granular performance metrics, logs, tasks and events,and topology from hosts, virtual machines and virtual centers. Itempowers administrators with an accurate real-time picture of the healthof the environment, proactively identifying performance and capacitybottlenecks.

Conventional data-center-monitoring systems lack the infrastructure toeffectively store and analyze large volumes of machine-generated data,such as performance information and log data obtained from the datacenter. In conventional data-center-monitoring systems,machine-generated data is typically pre-processed prior to being stored,for example, by extracting pre-specified data items and storing them ina database to facilitate subsequent retrieval and analysis at searchtime. However, the rest of the data is not saved and discarded duringpre-processing.

In contrast, the virtual machine monitoring application stores largevolumes of minimally processed machine data, such as performanceinformation and log data, at ingestion time for later retrieval andanalysis at search time when a live performance issue is beinginvestigated. In addition to data obtained from various log files, thisperformance-related information can include values for performancemetrics obtained through an application programming interface (API)provided as part of the vSphere Hypervisor™ system distributed byVMware, Inc. of Palo Alto, California. For example, these performancemetrics can include: (1) CPU-related performance metrics; (2)disk-related performance metrics; (3) memory-related performancemetrics; (4) network-related performance metrics; (5) energy-usagestatistics; (6) data-traffic-related performance metrics; (7) overallsystem availability performance metrics; (8) cluster-related performancemetrics; and (9) virtual machine performance statistics. Suchperformance metrics are described in U.S. patent application Ser. No.14/167,316, entitled “CORRELATION FOR USER-SELECTED TIME RANGES OFVALUES FOR PERFORMANCE METRICS OF COMPONENTS IN ANINFORMATION-TECHNOLOGY ENVIRONMENT WITH LOG DATA FROM THATINFORMATION-TECHNOLOGY ENVIRONMENT”, filed on 29 Jan. 2014, and which ishereby incorporated by reference in its entirety for all purposes.

To facilitate retrieving information of interest from performance dataand log files, the virtual machine monitoring application providespre-specified schemas for extracting relevant values from differenttypes of performance-related events, and also enables a user to definesuch schemas.

The virtual machine monitoring application additionally provides variousvisualizations to facilitate detecting and diagnosing the root cause ofperformance problems. For example, one such visualization is a“proactive monitoring tree” that enables a user to easily view andunderstand relationships among various factors that affect theperformance of a hierarchically structured computing system. Thisproactive monitoring tree enables a user to easily navigate thehierarchy by selectively expanding nodes representing various entities(e.g., virtual centers or computing clusters) to view performanceinformation for lower-level nodes associated with lower-level entities(e.g., virtual machines or host systems). Example node-expansionoperations are illustrated in FIG. 17C, wherein nodes 1733 and 1734 areselectively expanded. Note that nodes 1731-1739 can be displayed usingdifferent patterns or colors to represent different performance states,such as a critical state, a warning state, a normal state or anunknown/offline state. The ease of navigation provided by selectiveexpansion in combination with the associated performance-stateinformation enables a user to quickly diagnose the root cause of aperformance problem. The proactive monitoring tree is described infurther detail in U.S. Pat. No. 9,185,007, entitled “PROACTIVEMONITORING TREE WITH SEVERITY STATE SORTING”, issued on 10 Nov. 2015,and U.S. Pat. No. 9,426,045, also entitled “PROACTIVE MONITORING TREEWITH SEVERITY STATE SORTING”, issued on 23 Aug. 2016, each of which ishereby incorporated by reference in its entirety for all purposes.

The virtual machine monitoring application also provides a userinterface that enables a user to select a specific time range and thenview heterogeneous data comprising events, log data, and associatedperformance metrics for the selected time range. For example, the screenillustrated in FIG. 17D displays a listing of recent “tasks and events”and a listing of recent “log entries” for a selected time range above aperformance-metric graph for “average CPU core utilization” for theselected time range. Note that a user is able to operate pull-down menus1742 to selectively display different performance metric graphs for theselected time range. This enables the user to correlate trends in theperformance-metric graph with corresponding event and log data toquickly determine the root cause of a performance problem. This userinterface is described in more detail in U.S. patent application Ser.No. 14/167,316, entitled “CORRELATION FOR USER-SELECTED TIME RANGES OFVALUES FOR PERFORMANCE METRICS OF COMPONENTS IN ANINFORMATION-TECHNOLOGY ENVIRONMENT WITH LOG DATA FROM THATINFORMATION-TECHNOLOGY ENVIRONMENT”, filed on 29 Jan. 2014, and which ishereby incorporated by reference in its entirety for all purposes.

As previously mentioned, the data intake and query platform providesvarious schemas, dashboards and visualizations that make it easy fordevelopers to create applications to provide additional capabilities.One such application is an IT monitoring application, such as SPLUNK® ITSERVICE INTELLIGENCE™, which performs monitoring and alertingoperations. The IT monitoring application also includes analytics tohelp an analyst diagnose the root cause of performance problems based onlarge volumes of data stored by the data intake and query system ascorrelated to the various services an IT organization provides (aservice-centric view). This differs significantly from conventional ITmonitoring systems that lack the infrastructure to effectively store andanalyze large volumes of service-related events. Traditional servicemonitoring systems typically use fixed schemas to extract data frompre-defined fields at data ingestion time, wherein the extracted data istypically stored in a relational database. This data extraction processand associated reduction in data content that occurs at data ingestiontime inevitably hampers future investigations, when all of the originaldata may be needed to determine the root cause of or contributingfactors to a service issue.

In contrast, an IT monitoring application system stores large volumes ofminimally-processed service-related data at ingestion time for laterretrieval and analysis at search time, to perform regular monitoring, orto investigate a service issue. To facilitate this data retrievalprocess, the IT monitoring application enables a user to define an IToperations infrastructure from the perspective of the services itprovides. In this service-centric approach, a service such as corporatee-mail may be defined in terms of the entities employed to provide theservice, such as host machines and network devices. Each entity isdefined to include information for identifying all of the events thatpertains to the entity, whether produced by the entity itself or byanother machine, and considering the many various ways the entity may beidentified in machine data (such as by a URL, an IP address, or machinename). The service and entity definitions can organize events around aservice so that all of the events pertaining to that service can beeasily identified. This capability provides a foundation for theimplementation of Key Performance Indicators.

One or more Key Performance Indicators (KPI's) are defined for a servicewithin the IT monitoring application. Each KPI measures an aspect ofservice performance at a point in time or over a period of time (aspectKPI's). Each KPI is defined by a search query that derives a KPI valuefrom the machine data of events associated with the entities thatprovide the service. Information in the entity definitions may be usedto identify the appropriate events at the time a KPI is defined orwhenever a KPI value is being determined. The KPI values derived overtime may be stored to build a valuable repository of current andhistorical performance information for the service, and the repository,itself, may be subject to search query processing. Aggregate KPIs may bedefined to provide a measure of service performance calculated from aset of service aspect KPI values; this aggregate may even be takenacross defined timeframes and/or across multiple services. A particularservice may have an aggregate KPI derived from substantially all of theaspect KPI's of the service to indicate an overall health score for theservice.

The IT monitoring application facilitates the production of meaningfulaggregate KPI's through a system of KPI thresholds and state values.Different KPI definitions may produce values in different ranges, and sothe same value may mean something very different from one KPI definitionto another. To address this, the IT monitoring application implements atranslation of individual KPI values to a common domain of “state”values. For example, a KPI range of values may be 1-100, or 50-275,while values in the state domain may be ‘critical,’ warning,′ ‘normal,’and ‘informational’. Thresholds associated with a particular KPIdefinition determine ranges of values for that KPI that correspond tothe various state values. In one case, KPI values 95-100 may be set tocorrespond to ‘critical’ in the state domain. KPI values from disparateKPI's can be processed uniformly once they are translated into thecommon state values using the thresholds. For example, “normal 80% ofthe time” can be applied across various KPI's. To provide meaningfulaggregate KPI's, a weighting value can be assigned to each KPI so thatits influence on the calculated aggregate KPI value is increased ordecreased relative to the other KPI's.

One service in an IT environment often impacts, or is impacted by,another service. The IT monitoring application can reflect thesedependencies. For example, a dependency relationship between a corporatee-mail service and a centralized authentication service can be reflectedby recording an association between their respective servicedefinitions. The recorded associations establish a service dependencytopology that informs the data or selection options presented in a GUI,for example. (The service dependency topology is like a “map” showinghow services are connected based on their dependencies.) The servicetopology may itself be depicted in a GUI and may be interactive to allownavigation among related services.

Entity definitions in the IT monitoring application can includeinformational fields that can serve as metadata, implied data fields, orattributed data fields for the events identified by other aspects of theentity definition. Entity definitions in the IT monitoring applicationcan also be created and updated by an import of tabular data (asrepresented in a CSV, another delimited file, or a search query resultset). The import may be GUI-mediated or processed using importparameters from a GUI-based import definition process. Entitydefinitions in the IT monitoring application can also be associated witha service by means of a service definition rule. Processing the ruleresults in the matching entity definitions being associated with theservice definition. The rule can be processed at creation time, andthereafter on a scheduled or on-demand basis. This allows dynamic,rule-based updates to the service definition.

During operation, the IT monitoring application can recognize notableevents that may indicate a service performance problem or othersituation of interest. These notable events can be recognized by a“correlation search” specifying trigger criteria for a notable event:every time KPI values satisfy the criteria, the application indicates anotable event. A severity level for the notable event may also bespecified. Furthermore, when trigger criteria are satisfied, thecorrelation search may additionally or alternatively cause a serviceticket to be created in an IT service management (ITSM) system, such asa systems available from ServiceNow, Inc., of Santa Clara, California.

SPLUNK® IT SERVICE INTELLIGENCE™ provides various visualizations builton its service-centric organization of events and the KPI valuesgenerated and collected. Visualizations can be particularly useful formonitoring or investigating service performance. The IT monitoringapplication provides a service monitoring interface suitable as the homepage for ongoing IT service monitoring. The interface is appropriate forsettings such as desktop use or for a wall-mounted display in a networkoperations center (NOC). The interface may prominently display aservices health section with tiles for the aggregate KPI's indicatingoverall health for defined services and a general KPI section with tilesfor KPI's related to individual service aspects. These tiles may displayKPI information in a variety of ways, such as by being colored andordered according to factors like the KPI state value. They also can beinteractive and navigate to visualizations of more detailed KPIinformation.

The IT monitoring application provides a service-monitoring dashboardvisualization based on a user-defined template. The template can includeuser-selectable widgets of varying types and styles to display KPIinformation. The content and the appearance of widgets can responddynamically to changing KPI information. The KPI widgets can appear inconjunction with a background image, user drawing objects, or othervisual elements, that depict the IT operations environment, for example.The KPI widgets or other GUI elements can be interactive so as toprovide navigation to visualizations of more detailed KPI information.

The IT monitoring application provides a visualization showing detailedtime-series information for multiple KPI's in parallel graph lanes. Thelength of each lane can correspond to a uniform time range, while thewidth of each lane may be automatically adjusted to fit the displayedKPI data. Data within each lane may be displayed in a user selectablestyle, such as a line, area, or bar chart. During operation a user mayselect a position in the time range of the graph lanes to activate laneinspection at that point in time. Lane inspection may display anindicator for the selected time across the graph lanes and display theKPI value associated with that point in time for each of the graphlanes. The visualization may also provide navigation to an interface fordefining a correlation search, using information from the visualizationto pre-populate the definition.

The IT monitoring application provides a visualization for incidentreview showing detailed information for notable events. The incidentreview visualization may also show summary information for the notableevents over a time frame, such as an indication of the number of notableevents at each of a number of severity levels. The severity leveldisplay may be presented as a rainbow chart with the warmest colorassociated with the highest severity classification. The incident reviewvisualization may also show summary information for the notable eventsover a time frame, such as the number of notable events occurring withinsegments of the time frame. The incident review visualization maydisplay a list of notable events within the time frame ordered by anynumber of factors, such as time or severity. The selection of aparticular notable event from the list may display detailed informationabout that notable event, including an identification of the correlationsearch that generated the notable event.

The IT monitoring application provides pre-specified schemas forextracting relevant values from the different types of service-relatedevents. It also enables a user to define such schemas.

FIG. 18 is a block diagram of an embodiment of the data processingenvironment 200 described previously with reference to FIG. 2 thatincludes a distributed ledger system 1802 as a data source 202 of thedata intake and query system 108, a distributed ledger system monitor1804 (also referred to herein as monitor 1804), and a client device 204to interact with data associated with the data intake and query system108. Non-limiting examples of a distributed ledger system 1802 include,but are not limited to, Ethereum, Hyperledger Fabric, Quorum, Guardtime,KSI, etc.

The distributed ledger system monitor 1804 can be used to monitor orobtain data associated with the distributed ledger system 1802. Themonitor 1804 can be implemented using one or more computing devices,virtual machines, containers, pods, another virtualization technology,or the like, in communication with one or more nodes 1806 of thedistributed ledger system 1802. For example, in some embodiments, themonitor 1804 can be implemented on the same or across differentcomputing devices as distinct container instances, with each containerhaving access to a subset of the resources of a host computing device(e.g., a subset of the memory or processing time of the processors ofthe host computing device), but sharing a similar operating system. Forexample, the monitor 1804 can be implemented as one or more Dockercontainers, which are managed by an orchestration platform of anisolated execution environment system, such as Kubernetes.

Although illustrated as being distinct from the data intake and querysystem 108 and distributed ledger system 1802, it will be understoodthat in some embodiments, the monitor 1804 can be implemented as part ofthe data intake and query system 108 and/or distributed ledger system1802. For example, the monitor 1804 can be implemented using or on oneor more nodes 1806 of the distributed ledger system 1802 and/or beimplemented using one or more components of the data intake and querysystem 108. In certain embodiments, such as when the distributed ledgersystem 1802 is implemented using an isolated execution environmentsystem, such as, but not limited to Kubernetes, Docker, etc., themonitor 1804 can be implemented as an isolated execution environment ofthe isolated execution environment system and/or using an isolatedexecution environment system that is separate from the isolatedexecution environment system used to implement the distributed ledgersystem 1802.

In some embodiments, the monitor 1804 interfaces with the distributedledger system 1802 to collect data from one or more components of thedistributed ledger system 1802, such as the nodes 1806. In certainembodiments, the monitor 1804 can collect different types of data fromthe distributed ledger system 1802. In some embodiments, the monitor1804 receives, from one or more nodes 1806, distributed ledgertransactions, blocks, metrics data, and/or log data.

Although only one monitor 1804 is shown in FIG. 18 , it will beunderstood that multiple monitors can be used to collect data from thedistributed ledger system 1802. In some embodiments, one or moremonitors can collect data from each node 1806 (e.g., from each peer node1806 and/or ordering node 1806) or a subset of the nodes 1806 (e.g., oneor more peer nodes 1806).

In some embodiments, the log data can be generated in response to one ormore activities on a node, such as an error, receipt of a request fromanother node 1806 or client computing device, or in response to the node1806 processing a transaction of the distributed ledger system 1802. Thelog data can include information about the activity, such as anidentification of the error, a transaction identifier corresponding tothe transaction being processed and the nature of the processing task,etc. In some embodiments, the log data can correspond to or identifydifferent transactions that are being processed by the nodes 1806. Forexample, the log data generated by a peer node 1806 (as will bedescribed herein) can indicate the processing task being applied to aparticular proposed transaction (e.g., receive transaction, endorsetransaction, validate/invalidate transaction, commit block withtransaction to blockchain, read/write the proposed changes of thetransaction to the ledger state 1904, etc.). Similarly, an ordering node1806 (as will be described herein) can generate log data indicative ofactivities it is executing relative to a transaction (e.g., receiveendorsed transaction, order transaction, add transaction to a block,communicate transaction to peer nodes 1806 as part of the block,committing transaction to blockchain as part of a block, etc.).

Depending on the implementation of the nodes 1806, the log data can bestored in a data store of the nodes, and/or converted and stored as partof log data of an isolated execution environment system, etc. Forexample, if the nodes 1806 are implemented using one or more isolatedexecution environments, the log data may undergo processing by theisolated execution environment system and stored as part of a log fileof the isolated execution environment system. For example, the log datamay be wrapped in a JSON wrapper and stored as part of a Docker orKubernetes log file, etc.

As described herein, the generated metrics can include information aboutthe performance metrics of the node 1806 and/or the distributed ledgersystem 1802, such as, but not limited to, (1) CPU-related performancemetrics; (2) disk-related performance metrics; (3) memory-relatedperformance metrics; (4) network-related performance metrics; (5)energy-usage statistics; (6) data-traffic-related performance metrics;(7) overall system availability performance metrics; (8) cluster-relatedperformance metrics; and (9) virtual machine performance statistics,etc. In some cases, the metrics are stored in a data store associatedwith a node 1806. In some cases, the metrics can include a timestampcorresponding to when the metric was measured/obtained.

The transaction notifications can include information about a block(including its transactions) that is to be committed to a blockchain. Insome cases, the transaction notifications can correspond to individualtransactions of a block, the entire block, or parts of a transactions,such as the bytecode used as part of a transaction, etc. In some cases,the transaction notifications can include the entire content of a block(e.g., the header portion, body portion, transactions, metadata, etc.),or a summary of information, such as an indication of which transactionsof a block were validated/invalidated and/or committed to a blockchain.In certain embodiments, the transaction notifications can be stored in adata store, a publication-subscription (pub-sub) messaging system, orbuffer.

The transaction notifications can differ from the log data. For example,the log data can be generated asynchronously as various activities occuron different nodes 1806 (e.g., errors, specific processing tasks, etc.),whereas the transaction notifications can be generated as a result of ablock being committed to a blockchain. For example, in some cases, peernodes 1806 and/or ordering nodes 1806 can generate log data but onlypeer nodes 1806 can generate transaction notifications. Further, thetransaction notifications can differ from log data in that the log datacan include unstructured raw machine data, whereas the transactionnotifications can include structured data that identifies the block (orportions thereof) that is to be committed to a blockchain or a summaryrelated to transactions of the block that is to be committed (e.g.,identification of validated/invalidated transactions). In addition, thetransaction notifications can include information about multipletransactions and/or multiple transaction identifiers, whereas the logdata may include information about only one transaction and/or only onetransaction identifier.

As mentioned, the monitor 1804 can collect any one or any combination ofthe data generated by the nodes 1806. In some embodiments, the monitor1804 is configured to obtain one type of data, such as the transactionnotifications. In some such embodiments, the monitor 1804 can interactwith a respective node 1806 to obtain the transaction notifications. Asdescribed herein, in some cases, the transaction notifications areposted to a pub-sub. As such, the monitor can subscribe to the pub-subto obtain the relevant transaction notifications. In some cases, a node1806 is associated with multiple channels and the transactionnotifications for the different channels are found on different topicsof a pub-sub or on different pub-subs. In these cases, the monitor 1804can be configured to subscribe to the different topics and/or pub-subs.In this way, the monitor 1804 can collect the relevant transactionnotifications from a node 1806.

In some cases, the monitor 102 processes the transaction notifications.For example, in some cases, portions of the transaction notification,such as the details of the individual transactions, may be encrypted orencoded. In these examples, the monitor 1804 can decode byte strings toreadable UTF8 strings or hex. Further, the transaction notifications mayinclude information about multiple transactions. In some suchembodiments, the monitor 102 may parse information about individualtransactions and separately communicate the information about individualtransactions to the data intake and query system 108 (as well as theentire transaction notification). In certain cases, each communicationcan include a transaction identifier that identifies the correspondingtransaction. The data intake and query system 108 can store the separatecommunications as individual events. Accordingly, the monitor 1804 canbe used to generate multiple events from one transaction notification.In some embodiments, the data intake and query system 108 can store theindividual events generated from the transaction notifications in anindex that is separate from an index that store metrics data and/or logdata.

Furthermore, the monitor 1804 and/or data intake and query system 108can extract the transaction identifiers from the communications receivedfrom the monitor 1804 using one or more regex rules. In some suchembodiments, the data intake and query system 108 can store thetransaction identifiers in one or more inverted indexes that associatethe transaction identifier with the event that includes it. In somecases, the monitor 1804 can extract additional information from thetransaction notifications, such as, but not limited to channelinformation (e.g., the channel associated with the transaction and/orblockchain), node information (e.g., identification of the nodes thatendorsed, ordered, and/or validated the transaction), etc. The dataintake and query system 108 can store any one or any combination of theextracted information in one or more inverted indexes.

FIG. 19A is a block diagram illustrating an example of a distributedledger system 1802 that provides one or more distributed ledgers1808A-1808F (generically referred to as ledger(s) 1808) or blockchainsacross one or more nodes 1806A-1806F (generically referred to as node(s)1806). The nodes 1806 can communicate via a network 1902. The network1902 can be the same as network 104 or a different public or privatenetwork.

Each node 1806 can be implemented using individual computing devices,distributed processing systems, servers, isolated execution environments(e.g., containers, virtual machines, etc.), shared computing resources,and so on. In some embodiments, the nodes 1806 can be implemented on thesame or as part of different isolated execution environment systems(e.g., as different containers or pods of the same or differentKubernetes cluster or Docker swarm).

In the illustrated embodiment of FIG. 19 , each node 1806 is shown toinclude a ledger 1808 (which may include more than one ledger), whichcan be stored across one or more data stores, etc. In some embodiments,the ledger 1808 of each node 1806 can include one or more blockchains,etc. In some cases, the ledgers 1808 of the different nodes 1806correspond to each other, include the same or matching data entries, orinclude the same data.

The distributed nodes 1806 can store, maintain and/or update theirrespective ledger 1808. Each node 1806 can be configured for storing aversion of the distributed ledger 1808 (or a portion thereof), and thedistributed ledger 1808 may be updated from time to time withmodifications to the ledger 1808 and/or ledger entries, such asinsertion of a ledger entry (also referred to herein as a block) or anupdate of a ledger entry. The distributed ledger system 1802 may beadapted such that, where issues arise with the distributed ledger 1808(e.g., hash collisions, insertions at the same time, corruptedledgers/ledger entries), the issues are resolved based at least on issueresolution logic. For example, such logic may be distributed among eachof the nodes 1806 and/or their computing systems and can be used toimprove or ensure consistency between copies of the ledgers at thedifferent nodes. In some embodiments, issues may arise that can cause adistributed ledger 1808 to “fork” and/or spawn another instance, forexample, where a collision cannot be automatically resolved between thenodes. In such cases, the resolution logic can be used to determine whento “fork” or spawn another instance, etc.

It will be understood that each node 1806 can include fewer or morecomponents. For example, each node 1806 can include processors, buffers,applications, databases, etc. In some cases, the nodes 1806 can includeexecutable instructions or code that when executed by the node 1806cause the node 1806 to modify a corresponding ledger 1808 or generate atransaction that is to be stored in a block of a blockchain. In somecases, the executable instructions can be bytecode and can be used toimplement or execute a smart contract relative to the ledger 1808.

As described herein, the nodes 1806 can include at least a decentralizedset of computing devices and may even include personal computing devicesfor individuals, and so on. For example, a ledger 1808 may be stored ona large number of publicly available devices, each acting as a “node”for storing a copy of the ledger 1808 (e.g., being collaborativelymaintained by anonymous peers on a network). In some embodiments, theledger 1808 is only stored and maintained on a set of trusted “nodes”,such as on a private network or on the computing systems of authorizedusers. In some embodiments, a combination and/or a “mix” of both trustednodes and public nodes may be utilized, with the same and/or differentrules being applied to activities performed at each (e.g., a differentvalidation process may be used for untrusted nodes, or simply untrustednodes may be unable to perform certain activities). In some embodiments,there may be different levels of nodes with differing characteristicsand applied logic.

The ledgers 1808, ledger entries, and/or information stored on theledger entries may be used to store information received from one ormore computing devices. For example, the information may include bankinginformation, other commercial information, smart contracts, etc.Further, the ledger 1808 and ledger entries may utilize encryptiontechnology to facilitate and/or validate digital signatures or the datareceived from the computing devices.

In some embodiments, the ledger 1808 is publicly accessible. In someembodiments, the ledger 1808 is only accessible to select, authorizednodes having the appropriate permissions. In some embodiments, portionsof the ledger 1808 are public and portions of the ledger 1808 areprivate. When the ledger 1808 is publicly accessible, the ledger 1808may be adapted to only store information incidental to a transaction ora document relating to a transaction, and may be adapted such thatidentifiable information is removed but validation information ismaintained (e.g., storing a hash value computed from the underlyinginformation). Further, the information stored on the ledger 1808 may beencrypted (non-limiting example: using a public key of a key pairassociated with the data intake and query system 108), redacted,compressed, transformed (e.g., through a one-way transformation or areversible transformation), and so on.

Each of the one or more nodes 1806 may have, at various times, versionsof the ledger 1808, and the ledger 1808 may be maintained through thepropagation of entries and/or updates that may be copied across ledgers1808. Ledger entries may contain elements of information (e.g., headerinformation and/or other data). There may be various rules and/or logicinvolved in activities relating to the ledger entries (e.g., creating,updating, validating, deleting); for example, a majority, supermajority,or unanimous consent between nodes may be enforced as a condition to anactivity relating to an entry. In some embodiments, distributed ledgers1808 are utilized and the ledger entries are adapted to have variouslinkages to one another such that the integrity of the ledger entriescan be reinforced and/or validated. For example, the linkages mayinclude hashes computed based on prior entries in the ledger 1808, whichmay be utilized to determine whether a ledger entry is a fraudulententry by reviewing the correctness of the hash based on performing thehash on information stored on prior entries.

The ledger 1808 may be maintained through, for example, a “distributednetwork system”, the distributed network system providing decentralizedcontrol and storage of the ledger 1808 at the one or more nodes (whichmay be considered “nodes” of the system). The number of “nodes” may befixed or vary with time, and increasing or decreasing the number of“nodes” may impact the performance and/or security of the system.

The ledger 1808 copies stored and maintained at each “node” providecross-validation with one another in the event of conflicts betweenledgers 1808, and various cryptographic and/or hashing algorithms may beutilized during the generation, updating, deletion, linking, and so on,of ledger entries such that ledger entries have increased resiliency tounauthorized tampering or modification. For example, a blockchain ledger1808 may be distributed across nodes 1806 and used to track informationreceived from one or more computing devices. The blockchain ledger 1808may have entries linked to one another using cryptographic records, andentries in the blockchain may be ordered, time stamped, and/orassociated with metadata. These and other methods can be used forprotection against “double” transfers and unauthorized modification ofledger entries.

FIG. 19B is a block diagram illustrating another example of adistributed ledger system 1802 that includes different types of nodes1806. Specifically, the illustrated example of FIG. 19B includes fourpeer nodes 1806A, 1806C, 1806D, 1806F (generically referred to as peernode(s) 1806) and two ordering nodes 1806B, 1806D (generically referredto as ordering node(s) 1806). It will be understood that fewer or morenodes can be included as desired. For example, the distributed ledgersystem 1802 can include only one ordering node 1806 or two or moreordering nodes 1806. Similarly, the distributed ledger system 1802 caninclude fewer or more peer nodes 1806 as desired.

As described herein, the peer nodes 1806 and ordering nodes 1806 can beimplemented using one or more computing devices, isolated executionenvironments, etc. In some embodiments, each peer node 1806 and/orordering node 1806 can be associated with the same or differentorganization, entity, or user. For example, one company may beassociated with or control peer nodes 1806A, 1806C and ordering node1806B, a second company may be associated with or control peer node1806D and ordering node 1806E, and a third company may be associatedwith or control peer node 1806F. A non-limiting example of a distributedledger system 1802 that includes peer nodes 1806 and ordering nodes 1806is the Hyperledger Fabric.

For simplicity in describing FIG. 19B, the peer nodes 1806 and orderingnodes 1806 are described with reference to a common channel that enablesprivate communications/transactions between the illustrated nodes1806A-1806F. However, it will be understood that the peer nodes 1806 andordering nodes 1806 can be associated with multiple channels that eachenable private communications/transactions between nodes associated withthe channel and/or be associated with multiple consortiums made up oforganizations that control the individual nodes 1806. Further, it willbe understood that each peer node 1806 can include one or more peer nodeledgers 1808 and/or ledger states 1904 and perform the functionsdescribed herein for each channel with which the peer node 1806 isassociated. Similarly, each ordering node 1806 can include an orderingnode ledger 1808 and perform the functions described herein for eachchannel with which the ordering node 1806 is associated. In some cases,each channel can include at least one ordering node 1806 and multiplepeer nodes 1806. In certain embodiments, a channel is associated withmultiple peer nodes 1806 and only one ordering node 1806. In certaincases, multiple ordering nodes 1806 can be associated with the samechannel.

In the illustrated embodiment of FIG. 19B, each of the peer nodes 1806A,1806C, 1806D, 1806E includes a respective peer node ledger 1808A, 1808C,1808D, 1808F (generically referred to as peer node ledger(s) 1808) and arespective ledger state 1904A, 1904C, 1904D, 1904E (generically referredto as ledger state(s) 1904), and can be used to receive proposedtransactions from a client computing device (not shown), endorsetransactions, communicate endorsed transactions to a client computingdevice or ordering node 1806, validate transactions of a block, commitblocks to a respective peer node ledger 1808, and/or update a respectiveledger state 1904.

Similar to the description of ledgers 1808 with reference to FIG. 19A,the peer node ledgers 1808 can include one or more ledgers orblockchains. Further, the peer node ledgers 1808 of the different peernodes 1806 can correspond to each other, include the same or matchingentries, transactions, blocks, blockchains, etc. In some cases, the peernode ledger 1808 can include blocks formed from validated transactions,but may exclude invalidated transactions. In certain embodiments, thepeer node ledgers 1808 can include blocks formed from validated andinvalidated (or failed) transactions. In certain embodiments, such asembodiments in which an ordering node 1806 maintains an ordering nodeledger 1808, the peer node ledgers 1808 can correspond to or match theordering node ledgers 1808 of the ordering nodes 1806 and/or bedifferent. For example, in some cases, the ordering node ledgers 1808can include all endorsed transactions, regardless of whether they arevalidated and the peer node ledgers 1808 can include endorsed andvalidated transactions but not endorsed and invalidated or failedtransactions. In certain embodiments, the peer node ledgers 1808 caninclude one ledger or blockchain that matches the ordering node ledger1808 and another ledger that does not match the ordering node ledger1808.

In some cases, the peer node ledger 1808 is generated based on blocksreceived from an ordering node 1806. For example, the peer node 1806 canreview the transactions of a received block and, if a transaction isvalidated, can include the transaction as part of a block for the peernode ledger 1808. Accordingly, in certain embodiments a block of a peernode 1806 may have fewer transactions (or none) compared to acorresponding block received from the ordering node 1806 and/or found inthe ordering node ledger 1808.

As described herein at least with reference to FIG. 20 , when a peernode ledger 1808 is implemented as a blockchain, each block of theblockchain can include a header portion (including metadata) and a bodyportion. The header portion and/or metadata can include a block number(e.g., which block the block is in the blockchain), one or more contentidentifiers for the current block, a content identifier for a previousblock, one or more timestamps (e.g., when block was created, added tothe blockchain, etc.), a digital certificate, a public key (of apublic-private key pair), a digital signature of the peer node 1806 thatadded the block to the blockchain, and/or indicators as to whether atransaction of the block is valid/invalid, etc. In addition, in somecases, the header portion can include hashes or content identifiers forindividual transactions of a block, and the body portion of a block inthe blockchain can include one or more transactions or transaction dataassociated with a transaction.

In certain embodiments, each transaction can include header information(e.g., bytecode used to generate the transaction, software version,etc.), digital signature of the client computing device that initiatedthe transaction, a signature or identifier of the endorsing peer nodes1806 (peer nodes 1806 that signed and/or endorsed the transaction),channel information (which channel the transaction is associated with),a signature or identifier of the ordering node 1806 that ordered thetransaction in the block, a proposed change to the peer node ledger1808, an expected input/output of the transaction (e.g., the content ofthe ledger state 1904 before and after the transaction is executed,etc.), etc.

The ledger state 1904 can include one or more key-value pairs reflectingthe value or state of the key (of the key-value pair), and can beimplemented as a database in one or more data stores of a peer node1806. In some embodiments, the ledger state 1904 reflects a currentstate or value of the keys based on the transactions in thecorresponding peer node ledger 1808 or blockchain. As a non-limitingexample, if the peer node ledger 1808 reflects transactions (e.g.,debits and credits) associated with a particular bank account or otherintangible object, the ledger state 1904 can reflect the current valueof money in the bank account based on all previous transactions. Asanother non-limiting example, the ledger state 1904 can reflect acurrent ownership of a car or other physical object based on previous(validated) transactions associated with the car found in the peer nodeledger 1808. Accordingly, as a peer node 1806 adds a block with one ormore transactions to a peer node ledger 1808 or blockchain, the peernode 1806 can update the ledger state 1904 for keys that were alteredbased on any one or any combination of the (validated) transactions ofthe block. Similar to the peer node ledgers 1808, the ledger states 1904of the different peer nodes 1806 can correspond to each other, includethe same or matching key-value pairs, etc.

Although not illustrated, it will be understood that each peer node 1806can include fewer or more components. For example, as mentioned, eachpeer node 1806 can include multiple peer node ledgers 1808, as well asbytecodes, permissions, etc. This information can be stored on one ormore data store associated with the peer node 1806. The permissions canindicate which channels, organizations, or other components, the peernode 1806 is associated with and/or what information the peer node 1806is allowed to access or edit, etc.

The bytecodes can include executable instructions that the peer node1806 is to execute and which can generate or be used to endorse orvalidate transactions for a block of a blockchain. For example, abytecode can indicate that a peer node 1806 is to read/write informationto a ledger state 1904. A client computing device (not shown) can causethe peer node 1806 to execute the bytecode by providing the peer node1806 with one or more inputs. For example, if the bytecode is used toreflect the change in ownership of a car, the client computing devicecan identify the subject car and the identity of the parties involved inthe transaction (e.g., buyer and seller). The peer node 1806 can use thebytecode to verify whether the ledger state 1904 includes the identifiedcar and the parties are valid (e.g., identified owner owns the car andbuyer is able to purchase the car), etc. Based on the bytecode, therelevant peer nodes 1806 can endorse or validate a transaction that isto be included as part of a block in a blockchain.

FIG. 20 is a block diagram illustrating an embodiment of a blockchain2000 or distributed ledger that includes blocks that are linkedtogether. The blockchain 2000 can correspond to a peer node blockchain(non-limiting example: include only validated transactions or anindication of valid/invalid transactions) and/or an ordering nodeblockchain (non-limiting example: include transactions regardless ofvalidation). In the illustrated embodiment, four blocks 2002A, 2002B,2002C, 2002D (generically referred to as block(s) 2002) of theblockchain 2000 are shown, with each block 2002 including a headerportion 2004A, 2004B, 2004C, 2004D (generically referred to as headerportion(s) 2004) and a body portion 2006A, 2006B, 2006C, 2006D(generically referred to as body portion 2006). However, it will beunderstood that each block 2002 can include fewer or more sections, etc.For example, in some embodiments, each block 2002 can include only abody portion 2006 or only a header portions 2004 (e.g., if a peer node1806 determines that no transactions of a block received from anordering node 1806 can be validated, the peer node 1806 can generate ablock with no transactions). In addition, for simplicity, some detailsof the blocks 2002 are not shown. For example, additional informationcan be included in the header portions and/or body portions, etc.

The distributed ledger system 1802 can generate blocks based on variouscriteria, such as, but not limited to, the passage of a predeterminedtime interval, the size or amount of data/transactions received, thedetermination of a solution to a computational puzzle that is determinedby a difficulty parameter, the number of block entries (ortransactions), or generated content identifiers received, etc. In someembodiments, the distributed ledger system 1802 can generate a blockbased on a predetermined period of time. For example, the distributedledger system 1802 can generate a block for the blockchain 2000 once asecond, every 10 seconds, once a minute, every 10 min., every hour, etc.In certain embodiments, the distributed ledger system 1802 can generatea block based on the size or amount of data corresponding to one or moretransactions. For example, the distributed ledger system 1802 cangenerate a block for each group of transactions that forms a megabyte orgigabyte of data. In some embodiments, the distributed ledger system1802 can generate a block based a node or computing system determining asolution to a computational puzzle that is based on a difficultyparameter. In certain cases, the difficulty parameter changes over timeto ensure that blocks are likely to produce on a regular time interval.In some cases, the distributed ledger system can generate a block basedon a number of block entries, transactions, or content identifiers. Forexample, the distributed ledger system 1802 can generate a block foreach transaction or each set of 100, 1000, or 1,000,000 transactions,etc. The distributed ledger system 1802 can use any one or anycombination of the aforementioned techniques to generate a block.

In the illustrated embodiment, the header portions 2004 include acontent identifier (in this example a hash) associated with the previousblock (e.g., a hash of the body portion of the previous block) and acontent identifier for the current block (e.g., for the body portion ofthe current block). For example, the header portion 2004B includes thehash “49vvszj39fjpa,” which corresponds to the hash of the body portion2006A and the hash “69yu8qo4prb5,” which corresponds to the hash of thebody portion 2006B.

It will be understood that less, different, or more information can beincluded in the header portions 2004, as desired. For example, theheader portions 2004 can include a nonce, root hash of a Merkle tree,timestamp, difficulty level, software version number, block numberindicating the number of blocks in the blockchain that precede theblock, etc. The nonce can correspond to the number used to obtain a hashthat is smaller than a target hash. For example, in some embodiments,before a group of transactions can be added as a block to the blockchain2000, the distributed ledger system 1802 may require that the hash ofthe content of the block (e.g., the hash of the body portion 2006) belower than a threshold number. To meet that criteria, a node 1806 canadd a nonce value and hash the combination of the nonce value and thecontent of the block. If the resulting hash does not meet the sizecriteria, the node can repeatedly increment the nonce value and takehash again until the threshold is satisfied. The final nonce value canbe included in the block.

As another example, the header portions 2004 can include hashes of theentire previous block (header and/or body portion), one or moretimestamps (or time range) reflecting the time when the block wasstarted, completed, and/or added to the blockchain 2000, and/or adifficulty level. In certain cases, the timestamp can correspond tocurrent day and time and/or the amount of time elapsed from a particulartime. The difficulty level can, in certain cases, correspond to the sizeof the hash. In certain cases, a smaller hash can correspond to a higherdifficulty level. The root hash can correspond to the hash created basedon hashes of multiple transactions, including any hashes of hashesgenerated by hashing transactions, and so on.

The header portions 2004 can include a content identifier for eachtransaction included in the body portion 2006. For example, the headerportion 2004 can include a hash of each transaction in the body portion2006. In certain embodiments, the header portion 2004 can include adigital certificate, public key, and/or digital signature associatedwith the peer node 1806 or ordering node 1806 that created it. In somecases, the header portion 2004 (or other metadata) can include anindicator for each transaction indicating whether the transaction wasvalidated by a peer node 1806. In some embodiments, where the orderingnode ledger 1808 and the peer node ledger 1808 are different, the headerportion of a block in a peer node ledger 1808 can include an indicationof the block in the ordering node ledger to which it relates. Forexample, if OrderBlock_12 in an ordering node blockchain includesTransaction_A that is later invalidated and excluded from acorresponding PeerBlock_12 in a peer node blockchain, the header portionof the PeerBlock_12 can include an identifier that identifiesOrderBlock_12 in the ordering node blockchain as includingTransaction_A.

With continued reference to FIG. 20 , the body portions 2006 can includeone or more block entries for each transaction of the block. In someembodiments, the block entries can be compressed and/or the content ofone or more block entries (or all block entries) can be encoded orencrypted using a public key of a key pair associated with the computingdevice that provided the information for the block entry. In this way,the distributed ledger system 1802 can limit the accessibility of theblock entries.

In some embodiments, the block entries can include transaction data,such as but not limited to, a transaction identifier, node signatures(e.g., endorsing/validating peer nodes 1806, ordering nodes 1806, etc.),client computing device signatures, proposed ledger changes, expectedinput/output of the transaction, bytecode identification, inputs intothe bytecode, channel information, timestamp of creation, etc. In somecases, each proposed transaction received by a peer node can be assigned(or come with) a transaction identifier or transaction ID. Thetransaction identifier can follow the transaction throughout thevalidation process and/or be included as part of transaction in a blockentry of a block.

The digital signatures can include any one or any combination of adigital signature from the client computing device that initiated theproposed transaction, a digital signature corresponding to the peernodes 1806 that endorsed the transaction, the digital signature of theordering node(s) 1806 that ordered the transactions in and/or createdthe block, and/or the digital signature of the peer node 1806 thatvalidated the transaction as part of the block and/or committed theblock to the blockchain. In certain cases, the transaction data of ablock entry can include the proposed change to the ledger state 1904,including the proposed key-value pairs before and after the transactionis executed. In certain cases, the transaction data can include anidentification of the bytecode that generated or corresponds to thetransaction.

In the illustrated embodiment, the block entry for the transactions ofbody portion 306A includes a transaction identifier that uniquelyidentifies the transaction, an indication of ledger changes, theidentification of the channel with which the blockchain is related(channel 5), the signatures of the endorsing peer nodes (peer node 1 andpeer node 2 for the first transaction and peer node 3 for the secondtransaction), the signature of the ordering node that ordered thetransactions (ordering node 2), and the signature of the validating peernode (peer node 6). As shown, given that the transactions are includedin the same blockchain, the channel and validating peer node for thetransactions in the body portion 2006A is the same. However, theendorsing peer nodes are different. As described herein, this can be dueto the peer nodes involved in a transaction as determined by thebytecode and/or request made by a client computing device.

As described herein, the information in the block 2002A can be used togenerate one or more transaction notifications. For example, onetransaction notification can include the entirety of the block 2002A. Asanother example, a transaction notification can include informationabout the validation of the transactions in the block. For example, thetransaction notification can identify the transactions of a block thatare validated and/or invalidated, etc.

FIGS. 21A-21D are data flow illustrating an embodiment of a distributedledger system 1802 processing a transaction and generating and storing ablock that includes the transaction to a blockchain. In some cases, thevalidation process described herein with reference to FIGS. 21A-21D cancorrespond to the validation of one or more transactions on a particularchannel within the distributed ledger system 1802.

In the illustrated embodiment of FIG. 21A, (1) a client computing device2102 proposes a transaction to peer nodes 1806A and 1806F and receivesan endorsed transaction in return. As mentioned, the peer nodes 1806Aand 1806F can be associated with different parties or organizations.Further, the proposed transaction may relate to a proposed physicaltransaction between the different organizations.

The peer nodes 1806A and 1806F process the proposed transaction anddetermine whether to endorse it. In certain embodiments, upon receipt ofthe proposed transaction, the peer nodes 1806A can assign a transactionidentifier to the proposed transaction. In certain embodiments, theclient computing device 2102 can generate a transaction identifier forthe proposed transaction and communicate the transaction identifier tothe peer nodes 1806A and 1806F with the or as part of the proposedtransaction. The peer nodes 1806 and ordering node 1806 can use thetransaction identifier to uniquely identify the transaction throughoutthe validation process.

In some cases, processing the proposed transaction can include executingbytecode related to the proposed transaction using one or more blocks ofa respective peer node ledger 1808 or by referencing the ledger state1904. In certain cases, the execution of the bytecode does not modifyany blocks or the ledger state 1904, but merely verifies whether theproposed transaction could be done based on the information in theblocks and ledger state 1904. In response to the proposed transaction,the peer nodes 1806A, 1806F can endorse the proposed transaction. Forexample, if the proposed transaction includes the proper credentials andreferences the correct values of the ledger state 1904, and identifiesthe proper values as part of the transaction, the peer nodes 1806A,1806F can endorse the proposed transaction. As yet another example, thepeer nodes 1806 can endorse a transaction based on a user determiningthat an entity associated with the peer node 1806 desires to proceedwith the transaction. For example, if the transaction corresponds to thechange in ownership, then the entities associated with the change inownership can endorse the proposed transaction via the peer nodes 1806.

In some cases, the peer nodes 1806A, 1806F can endorse the proposedtransaction by digitally signing the proposed transaction using aprivate key of a public-private key pair. In certain cases, if the peernodes 1806A, 1806F do not endorse the proposed transaction (within aparticular amount of time) the transaction can fail or the clientcomputing device 2102 can resubmit the proposed transaction at a latertime.

In the illustrated embodiment of FIG. 21A, the client computing device2102 communicates with peer nodes 1806A and 1806F. However, it will beunderstood that the interactions can vary depending on the type oftransaction, permissions, etc. In some cases, based on the transaction,the client computing device 2102 interacts with only one peer node 1806.In certain embodiments, the client computing device 2102 can interactwith multiple peer nodes 1806. Further, in some embodiments, as part ofthe validation, one peer node 1806 can interact with another peer node1806. For example, if the transaction is a transfer of ownership betweenan entity associated with peer node 1806A and a different entityassociated with peer node 1806F, and the transaction is initiated withpeer node 1806A, the peer node 1806A can communicate the proposedtransaction to peer node 1806F for endorsement. In certain embodiments,an application executing on the client computing device 2102 identifiesthe peer nodes 1806 that are associated with a particular proposedtransaction and communicates the proposed transaction to the differentpeer nodes 1806 for endorsement. In some cases, the peer nodes canendorse the proposed transaction in a round robin fashion. For example,after one peer node 1806 endorses the proposed transaction, it canforward the proposed transaction to another peer node for endorsementuntil a threshold number (e.g., all or a particular subset) of the peernodes 1806 have endorsed the proposed transaction. In some embodiments,the ordering nodes 106 are not involved with the endorsement of theproposed transaction.

With reference to FIG. 21B, the client computing device 2102 can (2)request the ordering nodes 1806B, 1806E to order the transaction. Aspart of requesting the ordering nodes 1806 to order the transaction, theclient computing device 2102 can provide the ordering nodes 1806B, 1806Ewith the endorsed transaction.

Although illustrated as providing the endorsed transactions to twoordering nodes, it will be understood that the client computing device2102 can provide the endorsed transactions to fewer or more orderingnodes 1806 as desired. In addition, in certain embodiments, one or moreof the endorsing peer nodes 1806A, 1806F can provide the endorsedtransaction to the ordering nodes 1806B, 1806E for ordering.

The ordering nodes 1806B, 1806E can (3) process the endorsed transactionreceived from the client computing device 2102. In some cases,processing the endorsed transaction can include ordering the endorsedtransaction relative to other endorsed transactions of the distributedledger system 1802. For example, multiple client computing devices 2102can be interacting with any one or any combination of the peer nodes1806 to generate endorsed transactions. The ordering nodes 1806 canreceive the endorsed transactions and order them.

In certain embodiments, the ordering nodes 1806 can order the endorsedtransactions based on a timestamp, such as the first, last, or anaverage of the timestamps of one or more of the endorsements (e.g., thetimestamp associated with the peer node 1806A and/or the peer node1806F), the timestamp of the proposed transaction submission orcreation, etc.

In addition, as part of processing the endorsed transactions, theordering nodes 1806B, 1806E can generate a block for a blockchain usingthe endorsed transactions, including generating a header, body, and/orother parts of the block, as discussed above. In some cases, theordering nodes 1806B, 1806E can append the generated blocks to a localblockchain or ordering node ledger 1808. In some cases, when appendingthe generated blocks to the local blockchain, the ordering nodes 1806 donot validate the transactions of the block. In certain embodiments, thepeer nodes 1806 are not involved with the ordering of the transactionsand/or the creation of the blocks from the ordered transactions.

With reference to FIG. 21C, the ordering nodes 1806B, 1806E (4)communicate the generated blocks to the peer nodes 1806A, 1806C, 1806D,1806F for validation and commitment to a blockchain. As describedherein, each generated block can include one or more endorsedtransactions in a body portion, a header portion, and/or metadata, etc.As described herein, at least with reference to FIG. 20 , the headerportion can include a hash of each transaction in the block, a hash ofthe hashes of each transaction, a hash of all transactions of the blockor the content of a body portion of the block, a hash of a previousblock of the blockchain, etc. Although both ordering nodes 1806B, 1806Eare illustrated as providing the generated blocks to all peer nodes1806A, 1806C, 1806D, 1806F, it will be understood that in some cases,each ordering node 1806 provides the generated blocks to a subset of thepeer nodes 1806A, 1806C, 1806D, 1806F (e.g., ordering node 1806B cansend the generated blocks to peer nodes 1806A, 1806C and ordering node1806E can send the generated blocks to peer nodes 1806D, 1806F) or onlyone ordering node 1806 can provide the generated blocks to all peernodes 1806.

The body portion can include one or more transactions or transactiondata. As described herein, in some embodiments, the transaction data caninclude any one or any combination of: a timestamp corresponding to thetransactions submission/creation, an identifier of the code (orbytecode) associated with the transaction, a signature or identificationof the client computing device (or corresponding application) thatinitiated the transaction, a signature or identifier of the endorsingpeer nodes (peer nodes 1806A, 1806F that signed and/or endorsed thetransaction), a signature or identifier of the ordering node 1806B thatordered the transaction and/or generated the block, a proposed change tothe ledger, a channel identifier that identifies the channel associatedwith the blockchain, an expected input/output of the transaction, suchas the content of a database of the ledger that stores the key-valuesassociated with different transactions before and after the change isimplemented, etc. Further, in some cases, the transaction data caninclude an identification of log data generated during bytecodeexecution, a bytecode response, etc.

As illustrated at FIG. 21D, the peer nodes 1806A, 1806C, 1806D, 1806Fcan (5) validate the transactions in the block and append or commit theblock to a peer node ledger 1808 and/or a peer node blockchain. Incertain embodiments, the peer nodes 1806A, 1806C, 1806D, 1806F canvalidate the transactions by comparing the expected inputs (e.g., valueindicated in the transaction for a particular key of the ledger state1904 compared to the actual value of the key in the ledger state 1904).In some cases, if the value or state of the key in the ledger state 1904matches the value or state identified by the transaction, the peer node1806 can validate the transaction. In certain cases, the peer nodes canvalidate the transactions based on permissions or other informationassociated with the endorsing peer nodes 1806A, 1806F, etc.

In addition, in some cases, the peer nodes 1806A, 1806C, 1806D, 1806Fcan update the ledger state 1904 based on the transactions. For example,as described herein, the ledger state 1904 can store key-valuescorresponding to the subject of one or more transactions. When atransaction affects a particular key-value pair, the peer nodes 1806 canupdate the key-value pair in the respective ledger state 1904 and appendthe corresponding block to the blockchain of the respective peer nodeledger 1808. As described herein, the ledger state 1904 can reflect thecurrent state or value of a key based on the combination of validtransactions in a blockchain.

Throughout the validation process, the nodes 1806 can generate differenttypes of data, such as, but not limited to transaction notifications,log data, and/or metrics data.

In some cases, the peer nodes 1806 can generate one or more transactionnotifications. The transaction notifications can correspond toindividual transactions of a block, the entire block, or parts of atransactions, such as the bytecode used as part of a transaction, etc.In some cases, the transaction notifications can include the entirecontent of a block (e.g., the header portion, body portion,transactions, metadata, etc.), or a summary of information, such as anindication of which transactions were validated and/or posted to a peernode blockchain. In certain embodiments, the notifications can be storedin a pub-sub or buffer and/or the peer nodes 1806 can notify the clientcomputing device 2102 based on the generated transaction notifications,and provide client computing device 2102 with information about thetransaction as part of the block of a blockchain. In some cases, thepeer node 1806 can indicate to the client computing device 2102 whetherthe transaction was validated or invalidated, etc.

In addition to generating notifications, the nodes 1806 can generate logdata. The log data can correspond to or identify different transactionsthat are being processed by the nodes 1806 or other activities relatedto the node, such as errors, etc. For example, the log data generated bya peer node 1806 can indicate what the peer node 1806 doing for aparticular proposed transaction (e.g., receive transaction, assigntransaction identifier, endorse transaction, validate/invalidatetransaction, post block with transaction to blockchain, read/writeproposed changes of the transaction to the ledger state 1904, etc.).Similarly, the ordering nodes 1806 can generate log data indicative ofactivities it is executing relative to the transactions (e.g., receiveendorsed transaction, order transaction, generate block, add transactionto a block, communicate transaction to peer nodes as part of the block,post transaction to blockchain as part of a block, etc.). Though logdata can capture the activity of a node as the node processestransactions, the log data for the node can, in some cases, only capturethe activity of the one node. Depending on the implementation of thenodes 1806, the log data can be stored in a data store of the nodes,and/or converted and stored as part of log data of an isolated executionenvironment system, etc.

Moreover, as the nodes 1806 process data, they can generate certainmetrics. For example, the nodes 1806 can generate CPU usage, diskspace,etc. and other metrics. Though the metrics for a node result fromprocessing performed by the node, metrics data may not capture anyinformation about transactions that were processed. In some cases, themetrics are stored in a data store of the nodes 1806.

The data intake and query system 108 can ingest and correlate the datagenerated by a distributed ledger system 1802. In some cases, the dataintake and query system 108 can ingest the data using differentcomponents. For example, the data intake and query system 108 can use amonitor to ingest one type of data and use a forwarder, connector,and/or data adapter for other types of data.

Based on the collected data, the data intake and query system 108 canidentify correlations between transactions that are included in ablockchain and corresponding log data and metrics data. This informationcan provide insight into the inner workings of the distributed ledgersystem 1802, identify performance issues, security issues, errors, etc.By identifying faults, errors, and issues with the different componentsof the distributed ledger system 1802, the data intake and query system108 can improve the distributed ledger system 1802 as a whole. Forexample, based on the identified issues, system configurations can beadjusted, components can be fixed or reconfigured, etc. In this way, thedata intake and query system 108 can improve the speed, efficiency,throughput, and processing power of the distributed ledger system 1802.In addition, by correlating the different data types or associating datafrom different nodes of the distributed ledger system 1802, the dataintake and query system 108 can track the throughput of the system,identify bottlenecks, and be used to make adjustments to the distributedledger system 1802.

FIG. 22 is a data flow diagram illustrating data ingestion from thedistributed ledger system 1802 by the data intake and query system 108operating in accordance with aspects of the present disclosure. As notedherein above, the data intake and query system 108 may implement aGetting-Data-In (GDI) component (such as data adapter, monitor,forwarder, connector, or the like) in order to ingest the distributedledger transaction data, e.g., by reading log files maintained by one ormore nodes of the distributed ledger, listening to the blocks,transactions, and events that are broadcasted to all participating nodesof a distributed ledger, and/or performing other actions. The ingestedraw data may be aggregated, decoded, visualized, and/or furtherprocessed by the data intake and query system.

In the illustrated embodiment of FIG. 22 , the node 1806 is shown as apeer node 1806 with a peer node ledger 1808, a ledger state 1904, and abuffer 2204. The node 1806 can generate different types of data,including transactions, blocks, metrics data, and/or log data. In anillustrative example, a transaction can include the transactionidentifier, a timestamp, the source account identifier, the destinationaccount identifier, and a bytecode invoking a smart contract byspecifying a function name and parameter values.

The log data can include information generated by the node as itprocesses requests, transactions, etc. The log data can, for example,include information about errors, or other issues. In some cases, thelog data can include a transaction identifier indicating a particulartransaction associated with the generated log data. For example, the logdata can indicate that a particular transaction associated with aparticular transaction identifier was received, rejected, forwarded,processed, endorsed, ordered, included in a block, validated,invalidated, pruned, caused an error, rejected, used to edit the ledgerstate 1904, etc. The log data can also include information about otheroccurrences within the node 1806, such as, but not limited to,interactions with other nodes 1806, setup, administrativecommunications, configuration settings/changes, etc. As describedherein, in some embodiments, the log data may be unstructured rawmachine data, whereas the transaction notifications may be structured.

As described herein, the metrics can include information about theperformance metrics of the node 1806 and/or the distributed ledgersystem 1802, such as, but not limited to, CPU-related performancemetrics; disk-related performance metrics; memory-related performancemetrics; network-related performance metrics; energy-usage statistics;data-traffic-related performance metrics; overall system availabilityperformance metrics; cluster-related performance metrics; and virtualmachine performance statistics, etc.

The different types of data generated by the node 1806 and/ordistributed ledger system 1802 can be accessible via different paths orstored in different locations of the node 1806. For example, the datacan be located in a data store, pub/sub, buffer, or real-time datastream. In some embodiments, such as when the distributed ledger system1802 is implemented in an isolated execution environment system, thedata can be wrapped or converted to another format, such as JSON, andstored as a JSON (or other type) file. In some such cases, a dataadapter 2202, connector, or monitor can be used to extract the datagenerated by the node from the wrapper. In some such embodiments wherethe distributed ledger system 1802 is implemented using Kubernetes orDocker, log data generated by the node 1806 can be wrapped in a JSONwrapper and stored as a Docker or Kubernetes log file, which may, forexample, be accessible through an API. In some such case, a data adapteror monitor can use the API or another mechanism to extract the log datagenerated by the node from the JSON wrapper and/or Docker or Kuberneteslog file.

As described herein, in some cases, the data obtained from the node 1806can be available via a messaging buffer 2204. In certain embodiments,the buffer 2204 operates according to a publish-subscribe (“pub-sub”)messaging system. For example, a channel may be represented as one ormore “topics” within a pub-sub system, and new transaction notificationsmay be represented as a “message” within the pub-sub system. Thedistributed ledger system monitor 1804 may subscribe to a topicrepresenting desired information (e.g., a particular channel, alltransaction notifications, etc.) to receive messages within the topic.Thus, the distributed ledger system monitor 1804 can be notified of newdata categorized under the topic within the buffer 2204. A variety ofimplementations of the pub-sub messaging system may be usable within thebuffer 2204. As will be appreciated, use of a pub-sub messaging systemcan provide many benefits, including the ability to retrieve dataquickly from the node 1806 while maintaining or increasing dataresiliency. In some embodiments, the distributed ledger system monitor1804 can provide the data to the data intake and query system 108through a module that provides an intake API to the data intake andquery system 108.

In certain embodiments, the data can be collected from the node 1806 byinstalling one or more forwarders 1904 on the node 1806 and/or or usingan HTTP event collector (indicated by arrow 2206). For example, themetrics or log data can be obtained from the node 1806 using a forwarder1904 or HTTP event collector.

As described herein, the data obtained from the node 1806 can be storedin one or more buckets of the data intake and query system 108. In somecases, the log data can be stored in one set of buckets associated withone index, the metrics data can be stored in a second set of bucketsassociated with a second index, and the transaction notifications can bestored in a third set of buckets associated with a third index. However,it will be understood that the data obtained from the node 1806 can bestored in a variety of ways and formats.

Moreover, the data intake and query system 108 can populate one or moreinverted indexes based on the received data. In some embodiments, as thedata intake and query system 108 ingests the data from the node 1806, itcan extract a transaction identifier using one or more regex rules. Forexample, the data intake and query system 108 can use one or more regexrules to extract a transaction identifier from log data and/ortransaction notifications. As the log data and transaction notificationsare different data types or have a different sourcetype, the data intakeand query system 108 can use different regex rules to extract thecorresponding transaction identifier (e.g., use one regex rule toextract transaction identifier from log data and a different regex ruleto extract transaction identifiers from transaction notifications). Insome cases, the distributed ledger system monitor 1804 can extract thetransaction identifiers from the transaction notifications. The dataintake and query system 108 can include the extracted transactionidentifiers as keywords or field-value pairs in one or more invertedindexes, such as the inverted index describe herein with reference toFIG. 5B. In certain embodiments, the data intake and query system 108can extract a node identifier for each node 1806 of the distributedledger system 1802. The extracted node identifier can also be stored inone or more inverted indexes. Similarly, the data intake and querysystem 108 can extract other data from the transaction notificationsand/or log data (non-limiting examples: endorsing, ordering, validatingnode identifiers, channel identifiers, ledger state edit time 1904,etc.) and store the extracted data in one or more inverted indexes.

As described herein, the data intake and query system 108 can correlatedifferent types of data of a particular node or across different nodesand/or associate the same type of data of a particular node or acrossdifferent nodes. For example, the data intake and query system 108 cancorrelate log data with transaction notifications and/or metrics datafrom the same node or from different nodes. Similarly, the data intakeand query system 108 can associate log data from different nodes ortransaction notifications from different nodes, etc.

In some cases, a node 1806 can generate multiple log data entries foreach transaction notification. For example, in some embodiments, atransaction notification can correspond to the commitment of a block toa blockchain, whereas the log data can correspond to one or moreprocessing tasks or other activities performed by the node 1806. As anode 1806 can perform multiple processing tasks or activities beforecommitting a block to a blockchain, there can be multiple of entries inlog data or multiple log data events for each transaction notificationor transaction notification event. In addition, as each peer node 1806can maintain its own blockchain, each peer node 1806 can generate atransaction notification that identifies the same transaction (orincludes the same transaction identifier). Accordingly, log data or logdata events of one node can be correlated with multiple transactionnotifications from different nodes.

In some embodiments, when correlating log data and transactionnotifications of a particular node, multiple entries of log data can becorrelated with one (or more, depending on the embodiment) transactionnotification, and when correlating log data and transactionnotifications across multiple nodes, one entry of log data (or one logdata event) can be correlated with multiple transaction notifications(or transaction notification events) from different nodes. In some suchembodiments, the data intake and query system 108 can correlate log dataand transaction notifications of each node before correlating log dataand transaction notifications across nodes. In a similar manner,multiple sets of metrics data of a particular node can be associatedwith a particular entry in log data (or log data event) or transactionnotification of the particular node.

As described herein, correlating the data obtained from the nodes 1806can provide significant insights and improvements for the distributedledger system 1802. In some cases, the data obtained from a single nodecan be correlated to provide node diagnostics, identify the structure orarchitecture of the node 1806 and/or parts of the distributed ledgersystem 1802, identify node failures or bottlenecks, recreate or rebuildthe blockchain or ledger state 1904, determine the history of atransaction with reference to the node 1806 or partial history, etc.

In some cases, to correlate transaction notifications with log data, thedata intake and query system 108 can identify events that are associatedwith the same transaction identifier. As described herein, some of theevents can correspond to log data (also referred to herein as log dataevents) from a node 1806 and other events can correspond to transactionnotifications of a node 1806 (also referred to herein as transactionnotification events). Based on a determination that the log data eventsand the transaction notification events include the same transactionidentifier, the data intake and query system 108 can correlate thedifferent events.

In some cases, the data intake and query system 108 can correlate themetrics with the log data and/or transaction identifiers based on one ormore timestamps. For example, as described herein, events can includedata associated with a timestamp and metrics can be stored inassociation with a timestamp. Accordingly, the data intake and querysystem 108 can correlate the metrics with the log data and/ortransaction notifications using the corresponding timestamps. In thisway, the data intake and query system 108 can determine the relevantmetrics of the node 1806 at the time particular log data and/ortransaction notification was generated. This correlation can provideinsights into the state of the node 1806 as when the log data and/ortransaction notification was generated.

Further, the correlation of different data can provide differentinsights into the state of the distributed ledger system 1802, atransaction, and/or a node 1806. For example, by correlating the logdata events and transaction notification events of a node, the dataintake and query system 108 can identify node failures in relation toparticular transactions, node throughput, determine the amount ofvalidated vs. invalidated nodes, the timing/frequency of the generationof a block or commitment of the block to a blockchain.

In certain embodiments, correlating transaction notifications and logdata can provide insights into the content of a block of a blockchain.For example, the content of the blockchain may be encoded, encrypted, orotherwise obfuscated for privacy or security purposes. By correlating atransaction of a block with corresponding log data, the data intake andquery system 108 can determine some or all of the content of thetransaction of the block. For example, the log data may includeinformation about the transaction that was encrypted or otherwiseobfuscated in the block.

Similarly, the correlation or association of data across nodes canprovide insights into the state of the distributed ledger system 1802, atransaction, a transaction history, etc. In some cases, the data intakeand query system 108 can associate the same type of data across multiplenodes 1806 of the distributed ledger system 1802. For example, the dataintake and query system 108 can associate log data events from a firstpeer node 1806 with log data events from a second peer node 1806. Insome cases, the association of the same type of data can be used toidentify the history of a transaction as it is received, endorsed,ordered, validated, included in a block, and/or committed to ablockchain.

Associating transaction notification events across different nodes canprovide insights into the functioning of the distributed ledger system1802. In some cases, the association can be used to identify errors in aparticular node 1806. For example, if all but one peer node 1806 of adistributed ledger system 1802 have committed a particular block to arespective blockchain, the data intake and query system 108 can identifya potential fault or error with the particular peer node. Similarly, thecorrelation or association of data across nodes 1806 can enable the dataintake and query system 108 to compare the throughput and processing ofeach node 1806 to identify slower/faster nodes, bottlenecks, etc.Accordingly, by obtaining the different types of data from the nodes ofa distributed ledger system 1802 and correlating the data, thedistributed ledger system 1802 can be improved. Specifically, thecorrelation can identify vulnerabilities, faults, errors, etc., of thedistributed ledger system 1802. Correlating the data across the nodes1806 can also enable the identification of potential security issues,such as, but not limited to, validated transactions that were notendorsed, digital certificate or signature abnormalities, an abnormalvolume of transactions, significant transactions or interactions withcomputers from a particular geographic area or block of IP addresses,etc.

In addition, by correlating the data across the nodes 1806, the dataintake and query system 108 can determine the architecture of thedistributed ledger system 1802. For example, the data intake and querysystem 108 can identify the different peer nodes 1806 and ordering nodes1806 of the distributed ledger system 1802, etc. For example, the dataintake and query system 108 can identify log data events and transactionnotification events that are associated with the same channel (e.g.,based on parsing relevant events and/or using one or more invertedindexes). The data intake and query system 108 can then identifydifferent peer nodes 1806 and ordering nodes 1806 associated with theidentified log data events and transaction notification events. Based onthis information, the data intake and query system 108 can identify thedifferent nodes 1806 of a channel. Further, by doing this for some orall channels, the data intake and query system 108 can identify thenodes 1806 of the distributed ledger system 1802. In addition, the dataintake and query system 108 can determine with which channels each node1806 is associated, which nodes 1806 share bytecodes, frequenttransactions between nodes, the size and/or number of nodes 1806involved in the individual transactions, etc.

By associating and correlating the events, the data intake and querysystem 108 can identify the components of the distributed ledger system1802 (and/or the status of the components). For example, by associatingand correlating events, the data intake and query system 108 candetermine that a particular distributed ledger system 1802 includesthree ordering nodes 1806, ten peer nodes 1806, four channels, etc.Similarly, the data intake and query system 108 can determine the statusfor the different components. For example, the data intake and querysystem 108 can determine the number of errors, warnings, responsiveness,etc. of one or more the three ordering nodes 1806 and ten peer nodes1806.

In certain embodiments, the data intake and query system 108 can obtainand correlate additional types of data. For example, as describedherein, blocks of a blockchain can include one or more digitalsignatures of a peer node 1806 and/or an ordering node 1806. The dataintake and query system 108 can use the digital signature to identify aCertificate Authority associated with the digital signature (e.g., aCertificate Authority that issued a digital certificate to the peer node1806 and/or ordering node 1806 to which the digital signaturecorresponds). One or more components of the data intake and query system108 (e.g., distributed ledger system monitor 1804, forwarder, and/orindexer) can query the Certificate Authority to obtain additionalidentifying attributes of the signer such as name, address, email,company name, phone number, title, etc. This information can be storedby the data intake and query system 108 and/or correlated with the otherdata obtained from the distributed ledger system 1802 to diagnose issueswith specific transactions and/or answer business analytics questions.

In some cases, the data intake and query system 108 can correlate thedata to identify relationships between the components of the distributedledger system 1802, and generate a visualization based on therelationships. For example, the data intake and query system 108 candetermine which nodes are associated with which channels and cantherefore communicate with each other with respect to a particularblockchain. In some cases, the data intake and query system 108 canstore the determined relationships and/or other attributes of thedifferent components in a table. In certain cases, the table can be usedto generate a visualization. In certain embodiments the visualizationcan indicate the relationships of the components of the distributedledger system 1802. For example, the visualization can indicate peernodes 1806 and ordering nodes 1808 that are part of a shared channel orconsortium. In addition, the various processing steps of a transactioncan be tracked across the different nodes of the distributed ledgersystem 1802 and visualized. In this way, the data intake and querysystem 108 can identify issues and errors with the distributed ledgersystem 1802, etc.

In some embodiments, the visualization can indicate the overall healthof individual components of the distributed ledger system 1802. Forexample, the visual representation of the components can be coloredgreen to indicate “healthy” (e.g., fewer than a threshold number oferrors/warnings or no errors/warnings) and red to indicate “unhealthy”(e.g., greater than a threshold number of errors, warnings, etc.) Thevisualization can also enable the user to drill down on visualrepresentations of the components of the distributed ledger system 1802to display information, metrics, and log data to determine theperformance of the component and/or troubleshoot problem areas. Incertain embodiments, such as when a user “drills down” to a particularcomponent, the visualization can display log data, metrics data, trendsof log data or metrics data, etc.

As noted herein above, the distributed ledger system 1802 may support aspecial account type, which is referred to as “contract account.” Amessage to a contract account activates its executable code implementinga “smart contract,” which may evaluate specified conditions and performvarious actions (e.g., transfer cryptocurrency tokens between accounts,write data to internal storage, mint new cryptocurrency tokens, performcalculation, create new smart contracts, etc.). The nodes of thedistributed ledger system 1802 may collectively implement a distributedvirtual machine (e.g., the EVM) for executing the code implementingsmart contracts. A smart contract can be created in a high levelprogramming language (such as Solidity) and then compiled into the EVMbytecode.

FIG. 23 is a data flow diagram illustrating transaction decoding by adistributed ledger connector of the data intake and query system 108operating in accordance with aspects of the present disclosure. In anillustrative example, the distributed ledger connector 2302 may receive,from a distributed ledger node 2304, a transaction 2310. In anotherillustrative example, the transaction 2310 may be retrieved from a logfile (not shown) maintained by the distributed ledger node 2304.

The transaction 2310 may include the transaction nonce 2312, thetransaction processing fee 2314, the destination account identifier2316, the transaction value 2318, the transaction data 2320, and thecryptographic signature 2322 of the transaction originating node. Thetransaction nonce 2312 may specify a sequence number of transactionssent from the given source address. The transaction processing fee 2314may specify the maximum amount of crypto currency which the transactionoriginator is willing to pay for processing the transaction. Thedestination account identifier 2316 may identify an external account ora contract account. The transaction value 2318 may specify an amount ofcrypto currency to be transferred to the destination account. Thetransaction data 2320 may be empty for payment transactions; for smartcontract transactions, the transaction data 2320 contains a messageinvoking a smart contract.

In order to decode a smart contract transaction, the distributed ledgerconnector 2302 may retrieve the bytecode 2324 implementing the smartcontract associated with the distributed ledger account 2316 identifiedby the transaction as the destination account. In an illustrativeexample, the bytecode may be retrieved by performing a JSON-RPC call tothe destination node specified by the transaction 2310. In anotherillustrative example, the bytecode may be retrieved from a log filemaintained by the destination node or another node of the distributedledger system. Upon retrieving the bytecode, the distributed ledgerconnector 2302 may compute its digital fingerprint 2326.

FIG. 24 is a data flow diagram of computing a digital fingerprint of asmart contract, in accordance with aspects of the present disclosure. Asschematically illustrated by FIG. 24 , a digital fingerprint of a smartcontract can be represented by a cryptographic hash of all distributedledger function signatures and distributed ledger event signaturescontained in the bytecode 2400 implementing the smart contract.Accordingly, the distributed ledger connector 2302 may parse thebytecode 2400 and extract the distributed ledger function signatures2410A-2410P and distributed ledger event signatures 2420A-2420Q(collectively referred to as Function and Even Signatures 2450).

In an illustrative example, a function signature may be represented bythe function name followed by a parenthesized list of parameter typesthat are split by a predefined delimiter (e.g., a comma):

FunctionName(param_1_type, param_2_type, . . . param_N_type), where N isthe number of parameters.

Similarly, a distributed ledger event signature may be represented bythe distributed ledger event topic followed by a parenthesized list ofparameter types that are split by a predefined delimiter (e.g., acomma):

EventTopic(param_1 type, param_2_type, . . . param_M_type), where M isthe number of parameters.

Alternatively, various other specifications of distributed ledgerfunction signatures and/or distributed ledger event signatures may beutilized, provided that a signature unambiguously reflects at least thefunction name (or the distributed ledger event name) and parametertypes.

As noted herein above, the digital fingerprint of a smart contract canbe represented by a cryptographic hash of all distributed ledgerfunction signatures and distributed ledger event signatures. Acryptographic hash may be represented by an irreversible functionmapping its argument represented by a bit string of arbitrary size to ahash value represented by a bit string of a pre-determined size, suchthat two different arguments are very unlikely to produce the same hashvalue. In an illustrative example, a Secure Hash Algorithm (SHA)function, such as SHA-3, may be utilized for computing the digitalfingerprint. Alternatively, various other cryptographic hash functionsmay be utilized.

Upon extracting, from the bytecode 2400, the distributed ledger functionsignatures and distributed ledger event signatures 2430, the distributedledger connector 2302 may compute the value of the chosen hash function2440 of the character string produced by concatenating all extracteddistributed ledger function signatures and distributed ledger eventsignatures, thus producing the digital fingerprint 2326:

Fingerprint=H(concatenation(signature_1, signature_2, . . . ,signature_K), where H is the chosen cryptographic hash, and signature_1,signature_2, . . . , signature_K denote the distributed ledger functionsignatures and distributed ledger event signatures extracted from thecontract bytecode.

Referring again to FIG. 23 , the distributed ledger connector 2302 mayutilize the computed digital fingerprint 2326 for associating the smartcontract with a known application binary interface (ABI) definition. Thedata intake and query system 108 main maintain a local database 2330 ofABI definitions of smart contracts and/or access a remote database (notshown in FIG. 23 ) of ABI definitions of smart contracts. In variousillustrative examples, the remote database may be a publicly accessibledatabase or a private database maintained by a customer utilizing thedata intake and query system 108 or by a third party.

The ABI definition of a smart contract may be represented by ahuman-readable textual representation (e.g., a JSON file) describing thesmart contract and its functions. For each function, its name,parameters types and values, and other pertinent information isspecified. Accordingly, for every smart contract having its ABIdefinition 2332 stored in the database 2330, the data intake and querysystem may compute the digital fingerprint 2334 following the proceduredescribed herein above with reference to FIG. 24 . The computed digitalfingerprints 2334 may be stored in the database 2330 in association withthe respective ABI definitions 2332, such that the digital fingerprint2334A is associated with the ABI definition 2332A, the digitalfingerprint 2334B is associated with the ABI definition 2332B, etc. Thedatabase 2330 may be indexed by the values of the digital fingerprints2334 in order to facilitate efficient identification and retrieval of asmart contract ABI definition associated with a specified digitalfingerprint.

Thus, the distributed ledger connector 2302 may search the database 2330for a digital fingerprint that matches the computed digital fingerprint2450 of the bytecode 2322 implementing the smart contract associatedwith the distributed ledger account 2316. Upon identifying the matchingdigital fingerprint 2334R, the distributed ledger connector 2302 mayretrieve the associated ABI contract definition 2332R. The distributedledger connector 2302 may extract, from the ABI contract definition2332R, function signatures specifying, for each function exposed by theABI definition, its name as well as the names and types of itsparameters. The extracted information may be utilized for decoding thetransaction data 2320 thus producing decoded transaction data 2350.

As noted herein above, for smart contract transactions, the transactiondata 2320 contains a message invoking a smart contract. Accordingly, thedistributed ledger connector 2302 may, upon identifying within thetransaction data 2320, a smart contract invocation, extract the functionsignature and parameter values associated with the identifiedtransaction data. In an illustrative example, a predefined number ofbytes (e.g., four bytes) of the function call data referenced by thetransaction data specify the hash of the signature of the function to becalled. Following the function signature (e.g., starting from the fifthbyte), the function call contains encoded parameter values.

The distributed ledger connector 2302 may identify, within the ABIdefinition 2332R of the identified matching smart contract, a functionsignature matching the function signature extracted from the transactiondata 2320. The definition of the identified matching function (e.g.,parameter names and types) may be utilized by the distributed ledgerconnector 2302 for decoding the transaction data 2320. In particular,the distributed ledger connector 2302 may decode the parameter valuesextracted from the transaction data 2320 in accordance with theparameter types specified by the ABI definition 2332R for the identifiedmatching function. The distributed ledger connector 2302 may furtherassociate each parameter value with a corresponding parameter namespecified by the ABI definition 2332R for the identified matchingfunction. The decoded transaction data, including the function name, theparameters names, types, and values, may be fed to a data intake andquery system 108 for visualization and/or further processing.

FIG. 25 is a flow diagram of an embodiment of a method 2500 of decodingdistributed ledger transactions, in accordance with aspects of thepresent disclosure. Method 2500 and/or each of its individual functions,routines, subroutines, or operations may be performed by one or moreprocessors of a computing device the distributed ledger connector 2302of the data intake and query system 108. In certain implementations,method 2500 may be performed by a single processing thread.Alternatively, method 2500 may be performed by two or more processingthreads, each thread executing one or more individual functions,routines, subroutines, or operations of the method. In an illustrativeexample, the processing threads implementing method 2500 may besynchronized (e.g., using semaphores, critical sections, and/or otherthread synchronization mechanisms). Alternatively, the processingthreads implementing method 2500 may be executed asynchronously withrespect to each other. Therefore, while FIG. 25 and the associateddescription lists the operations of method 2500 in certain order,various implementations of the method may perform at least some of thedescribed operations in parallel and/or in arbitrary selected orders.

Although described as being implemented by the distributed ledgerconnector 2302 of the data intake and query system 108, it will beunderstood that one or more elements outlined for method 2500 can beimplemented by one or more computing devices/components that areassociated with a data intake and query system 108, such as the searchhead 210, indexer 206, etc. Thus, the following illustrative embodimentshould not be construed as limiting.

At block 2510, the computing device implementing the distributed ledgerconnector 2302 receives distributed ledger transaction. The transactionmay include the transaction nonce, the transaction processing fee, thedestination account identifier, the transaction value, the transactiondata, and the cryptographic signature of the transaction originatingnode. The transaction nonce may specify a sequence number oftransactions sent from the given source address. The transactionprocessing fee may specify the maximum amount of crypto currency whichthe transaction originator is willing to pay for processing thetransaction. The destination account identifier may identify an externalaccount or a contract account. The transaction value may specify anamount of crypto currency to be transferred to the destination account.The transaction data may be empty for payment transactions; for smartcontract transactions, the transaction data contains a message invokinga smart contract.

At block 2520, the computing device receives the bytecode moduleassociated with the distributed ledger account identified by thetransaction. In an illustrative example, the bytecode may be retrievedby performing a JSON-RPC call to the destination node specified by thedistributed ledger transaction. In another illustrative example, thebytecode may be retrieved from a log file maintained by the destinationnode or another node of the distributed ledger system.

At block 2530, the computing device computes the digital fingerprint ofthe retrieved bytecode. The digital fingerprint may be represented by acryptographic hash of all distributed ledger function signatures anddistributed ledger event signatures contained by the bytecode. Thus,upon extracting the distributed ledger function signatures anddistributed ledger event signatures from the bytecode, the computingdevice may compute the value of a chosen hash function of the characterstring produced by concatenating all extracted distributed ledgerfunction signatures and distributed ledger event signatures, thusproducing the digital fingerprint, as described in more detail hereinabove.

At block 2540, the computing device identifies, among a plurality of ABIdefinitions stored in the ABI definition database, an ABI definitionhaving the ABI digital fingerprint that matches the computed bytecodedigital fingerprint, as described in more detail herein above.

At block 2550, the computing device produces decoded transaction data bydecoding, using the identified ABI definition, the transaction data. Inan illustrative example, the computing device may retrieve, from the ABIdefinition database, the ABI contract definition associated with theidentified digital fingerprint matching the computed bytecodefingerprint. The computing device may then extract, from the retrievedABI contract definition, the function signatures specifying, for eachfunction exposed by the ABI definition, its name as well as the namesand types of its parameters. The extracted information may be utilizedfor decoding the transaction data, as explained in more detail hereinbelow with reference to FIG. 26

FIG. 26 is a flow diagram of an embodiment of a method 2600 of decodingtransaction data, in accordance with aspects of the present disclosure.Method 2600 and/or each of its individual functions, routines,subroutines, or operations may be performed by one or more processors ofa computing device the distributed ledger connector 2302 of the dataintake and query system 108. In certain implementations, method 2600 maybe performed by a single processing thread. Alternatively, method 2600may be performed by two or more processing threads, each threadexecuting one or more individual functions, routines, subroutines, oroperations of the method. In an illustrative example, the processingthreads implementing method 2600 may be synchronized (e.g., usingsemaphores, critical sections, and/or other thread synchronizationmechanisms). Alternatively, the processing threads implementing method2600 may be executed asynchronously with respect to each other.Therefore, while FIG. 26 and the associated description lists theoperations of method 2600 in certain order, various implementations ofthe method may perform at least some of the described operations inparallel and/or in arbitrary selected orders.

Although described as being implemented by the distributed ledgerconnector 2302 of the data intake and query system 108, it will beunderstood that one or more elements outlined for method 2600 can beimplemented by one or more computing devices/components that areassociated with a data intake and query system 108, such as the searchhead 210, indexer 206, etc. Thus, the following illustrative embodimentshould not be construed as limiting.

At block 2610, the computing device implementing the distributed ledgerconnector parses the transaction data to identify a smart contractfunction invocation (encoded signature hash and parameters).

At block 2620, the computing device extracts the signature and parametervalues of a function invoked by the transaction data. In an illustrativeexample, a predefined number of bytes (e.g., four bytes) of theidentified function call specify the hash of the signature of thefunction to be called. Following the function signature (e.g., startingfrom the fifth byte), the function call contains encoded parametervalues.

At block 2630, the computing device identifies, in the ABI definitionhaving the ABI digital fingerprint that matches the bytecode digitalfingerprint, a function signature matching the signature extracted fromthe transaction data.

At block 2640, the computing device utilizes the definition of theidentified matching function (e.g., parameter names and types) fordecoding the transaction data. In particular, the computing device maydecode the parameter values extracted from the transaction data inaccordance with the parameter types specified by the ABI definition forthe identified matching function. The computing may further associateeach parameter value with a corresponding parameter name specified bythe ABI definition for the identified matching function. The decodedtransaction data, including the function name, the parameters names,types, and values, may be fed to a data intake and query system forvisualization and/or further processing.

In some cases, the data intake and query system 108 can generate one ormore visualizations of the results. In certain cases, the visualizationscan indicate the path or history of the transaction through thedistributed ledger system 1802, the architecture of the distributedledger system 1802, and/or the status of individual nodes 1806 and/orthe distributed ledger system 1802 as a whole. In certain embodiments,the visualization can include a display object for each node of thedistributed ledger system 1802 with one more indicators that indicate astatus of the node, such as the number of errors or faults at the node,the number of transactions processed or being processed, the number ofchannels associated with each node, etc.

The data intake and query system 108 can use the events to identifyerrors, bottlenecks or other issues in the distributed ledger system1802. For example, the data intake and query system 108 can identifynodes with smaller or greater throughput, nodes with the most errors,etc. In some cases, the data intake and query system 108 can use theevents to track the lifecycle of a transaction, including the initialsubmission of transaction to a node 1806, endorsement of thetransaction, ordering of the transaction, validation of the transaction,and inclusion of the transaction into the ledger 1808. If thetransaction stops or slows down unacceptably at any point in thejourney, the data intake and query system 108 can diagnose the reasonfor the slow down and generate an alert. Potential issues may include,errors in the bytecode execution, latency with querying the ledger state1904, network latency, resource contention in the underlying distributedledger system 1802, authentication/authorization issues, etc.

In addition, the results can include an identification of errorsassociated with the processing of the transaction, errors with orcreated by the bytecode, errors in the bytecode execution, throughput ofthe node, time taken to process the transaction at different times,latency with querying the ledger state 1904, etc. In some cases, basedon the association, the data intake and query system 108 can determinethe architecture (or a portion thereof) of the distributed ledger system1802. For example, the information from the various events can indicatewhich peer nodes endorsed the transaction and are therefore part of thedistributed ledger system 1802, which ordering node ordered thetransaction and is therefore part of the distributed ledger system 1802.In addition, the data intake and query system 108 can identify thenumber and identity of various channels with which the node 1806 isassociated.

In certain embodiments, the data intake and query system 108 can use theevents to determine a type of node processing a particular transaction(e.g., peer node and/or ordering node). For example, if a node does nothave any transaction notification events associated with it, the dataintake and query system 108 can determine that it is an ordering node,or if it does have transaction notification events associated with it,the data intake and query system 108 can determine that it is a peernode, etc. In some cases, by associating and/or correlating the events,the data intake and query system 108 can recreate the blockchain.

Computer programs typically comprise one or more instructions set atvarious times in various memory devices of a computing device, which,when read and executed by at least one processor, will cause a computingdevice to execute functions involving the disclosed techniques. In someembodiments, a carrier containing the aforementioned computer programproduct is provided. The carrier is one of an electronic signal, anoptical signal, a radio signal, or a non-transitory computer-readablestorage medium.

Any or all of the features and functions described above can be combinedwith each other, except to the extent it may be otherwise stated aboveor to the extent that any such embodiments may be incompatible by virtueof their function or structure, as will be apparent to persons ofordinary skill in the art. Unless contrary to physical possibility, itis envisioned that (i) the methods/steps described herein may beperformed in any sequence and/or in any combination, and (ii) thecomponents of respective embodiments may be combined in any manner.

Although the subject matter has been described in language specific tostructural features and/or acts, it is to be understood that the subjectmatter defined in the appended claims is not necessarily limited to thespecific features or acts described above. Rather, the specific featuresand acts described above are disclosed as examples of implementing theclaims, and other equivalent features and acts are intended to be withinthe scope of the claims.

Conditional language, such as, among others, “can,” “could,” “might,” or“may,” unless specifically stated otherwise, or otherwise understoodwithin the context as used, is generally intended to convey that certainembodiments include, while other embodiments do not include, certainfeatures, elements and/or steps. Thus, such conditional language is notgenerally intended to imply that features, elements and/or steps are inany way required for one or more embodiments or that one or moreembodiments necessarily include logic for deciding, with or without userinput or prompting, whether these features, elements and/or steps areincluded or are to be performed in any particular embodiment.

Unless the context clearly requires otherwise, throughout thedescription and the claims, the words “comprise,” “comprising,” and thelike are to be construed in an inclusive sense, as opposed to anexclusive or exhaustive sense, i.e., in the sense of “including, but notlimited to.” As used herein, the terms “connected,” “coupled,” or anyvariant thereof means any connection or coupling, either direct orindirect, between two or more elements; the coupling or connectionbetween the elements can be physical, logical, or a combination thereof.Additionally, the words “herein,” “above,” “below,” and words of similarimport, when used in this application, refer to this application as awhole and not to any particular portions of this application. Where thecontext permits, words using the singular or plural number may alsoinclude the plural or singular number respectively. The word “or” inreference to a list of two or more items, covers all of the followinginterpretations of the word: any one of the items in the list, all ofthe items in the list, and any combination of the items in the list.Likewise, the term “and/or” in reference to a list of two or more items,covers all of the following interpretations of the word: any one of theitems in the list, all of the items in the list, and any combination ofthe items in the list.

Conjunctive language such as the phrase “at least one of X, Y and Z,”unless specifically stated otherwise, is otherwise understood with thecontext as used in general to convey that an item, term, etc. may beeither X, Y or Z, or any combination thereof. Thus, such conjunctivelanguage is not generally intended to imply that certain embodimentsrequire at least one of X, at least one of Y and at least one of Z toeach be present. Further, use of the phrase “at least one of X, Y or Z”as used in general is to convey that an item, term, etc. may be eitherX, Y or Z, or any combination thereof.

In some embodiments, certain operations, acts, events, or functions ofany of the algorithms described herein can be performed in a differentsequence, can be added, merged, or left out altogether (e.g., not allare necessary for the practice of the algorithms). In certainembodiments, operations, acts, functions, or events can be performedconcurrently, e.g., through multi-threaded processing, interruptprocessing, or multiple processors or processor cores or on otherparallel architectures, rather than sequentially.

Systems and modules described herein may comprise software, firmware,hardware, or any combination(s) of software, firmware, or hardwaresuitable for the purposes described. Software and other modules mayreside and execute on servers, workstations, personal computers,computerized tablets, PDAs, and other computing devices suitable for thepurposes described herein. Software and other modules may be accessiblevia local computer memory, via a network, via a browser, or via othermeans suitable for the purposes described herein. Data structuresdescribed herein may comprise computer files, variables, programmingarrays, programming structures, or any electronic information storageschemes or methods, or any combinations thereof, suitable for thepurposes described herein. User interface elements described herein maycomprise elements from graphical user interfaces, interactive voiceresponse, command line interfaces, and other suitable interfaces.

Further, processing of the various components of the illustrated systemscan be distributed across multiple machines, networks, and othercomputing resources. In certain embodiments, one or more of thecomponents of the data intake and query system 108 can be implemented ina remote distributed computing system. In this context, a remotedistributed computing system or cloud-based service can refer to aservice hosted by one more computing resources that are accessible toend users over a network, for example, by using a web browser or otherapplication on a client device to interface with the remote computingresources. For example, a service provider may provide a data intake andquery system 108 by managing computing resources configured to implementvarious aspects of the system (e.g., search head 210, indexers 206,etc.) and by providing access to the system to end users via a network.

When implemented as a cloud-based service, various components of thesystem 108 can be implemented using containerization oroperating-system-level virtualization, or other virtualizationtechnique. For example, one or more components of the system 108 (e.g.,search head 210, indexers 206, etc.) can be implemented as separatesoftware containers or container instances. Each container instance canhave certain resources (e.g., memory, processor, etc.) of the underlyinghost computing system assigned to it, but may share the same operatingsystem and may use the operating system's system call interface. Eachcontainer may provide an isolated execution environment on the hostsystem, such as by providing a memory space of the host system that islogically isolated from memory space of other containers. Further, eachcontainer may run the same or different computer applicationsconcurrently or separately, and may interact with each other. Althoughreference is made herein to containerization and container instances, itwill be understood that other virtualization techniques can be used. Forexample, the components can be implemented using virtual machines usingfull virtualization or paravirtualization, etc. Thus, where reference ismade to “containerized” components, it should be understood that suchcomponents may additionally or alternatively be implemented in otherisolated execution environments, such as a virtual machine environment.

Likewise, the data repositories shown can represent physical and/orlogical data storage, including, e.g., storage area networks or otherdistributed storage systems. Moreover, in some embodiments theconnections between the components shown represent possible paths ofdata flow, rather than actual connections between hardware. While someexamples of possible connections are shown, any of the subset of thecomponents shown can communicate with any other subset of components invarious implementations.

Embodiments are also described above with reference to flow chartillustrations and/or block diagrams of methods, apparatus (systems) andcomputer program products. Each block of the flow chart illustrationsand/or block diagrams, and combinations of blocks in the flow chartillustrations and/or block diagrams, may be implemented by computerprogram instructions. Such instructions may be provided to a processorof a general purpose computer, special purpose computer,specially-equipped computer (e.g., comprising a high-performancedatabase server, a graphics subsystem, etc.) or other programmable dataprocessing apparatus to produce a machine, such that the instructions,which execute via the processor(s) of the computer or other programmabledata processing apparatus, create means for implementing the actsspecified in the flow chart and/or block diagram block or blocks. Thesecomputer program instructions may also be stored in a non-transitorycomputer-readable memory that can direct a computer or otherprogrammable data processing apparatus to operate in a particularmanner, such that the instructions stored in the computer-readablememory produce an article of manufacture including instruction meanswhich implement the acts specified in the flow chart and/or blockdiagram block or blocks. The computer program instructions may also beloaded to a computing device or other programmable data processingapparatus to cause operations to be performed on the computing device orother programmable apparatus to produce a computer implemented processsuch that the instructions which execute on the computing device orother programmable apparatus provide steps for implementing the actsspecified in the flow chart and/or block diagram block or blocks.

Any patents and applications and other references noted above, includingany that may be listed in accompanying filing papers, are incorporatedherein by reference. Aspects of the invention can be modified, ifnecessary, to employ the systems, functions, and concepts of the variousreferences described above to provide yet further implementations of theinvention. These and other changes can be made to the invention in lightof the above Detailed Description. While the above description describescertain examples of the invention, and describes the best modecontemplated, no matter how detailed the above appears in text, theinvention can be practiced in many ways. Details of the system may varyconsiderably in its specific implementation, while still beingencompassed by the invention disclosed herein. As noted above,particular terminology used when describing certain features or aspectsof the invention should not be taken to imply that the terminology isbeing redefined herein to be restricted to any specific characteristics,features, or aspects of the invention with which that terminology isassociated. In general, the terms used in the following claims shouldnot be construed to limit the invention to the specific examplesdisclosed in the specification, unless the above Detailed Descriptionsection explicitly defines such terms. Accordingly, the actual scope ofthe invention encompasses not only the disclosed examples, but also allequivalent ways of practicing or implementing the invention under theclaims.

To reduce the number of claims, certain aspects of the invention arepresented below in certain claim forms, but the applicant contemplatesother aspects of the invention in any number of claim forms. Forexample, while only one aspect of the invention is recited as ameans-plus-function claim under 35 U.S.C. sec. 112(f) (AIA), otheraspects may likewise be embodied as a means-plus-function claim, or inother forms, such as being embodied in a computer-readable medium. Anyclaims intended to be treated under 35 U.S.C. § 112(f) will begin withthe words “means for,” but use of the term “for” in any other context isnot intended to invoke treatment under 35 U. S. C. § 112(f).Accordingly, the applicant reserves the right to pursue additionalclaims after filing this application, in either this application or in acontinuing application.

What is claimed is:
 1. A method implemented by one or more processingdevices of a computer system, the method comprising: receiving, by thecomputer system, a transaction of a distributed ledger, wherein thetransaction includes transaction data and an identifier of an account ofthe distributed ledger; receiving a bytecode module, wherein thebytecode module is associated with the account of the distributedledger; computing a bytecode digital fingerprint associated with thebytecode module; identifying, among a plurality of stored applicationbinary interface (ABI) definitions, an ABI definition having an ABIdigital fingerprint that matches the bytecode digital fingerprint; andproducing decoded transaction data by parsing the transaction data togenerate a name of a smart contract function, a name of a parameter ofthe smart contract function, and a value of the parameter of the smartcontract function, wherein the name of the smart contract function andthe name of the parameter are defined by the identified ABI definition.2. The method of claim 1, wherein the bytecode module implements a smartcontract.
 3. The method of claim 1, wherein computing the bytecodedigital fingerprint further comprises: computing a cryptographic hash ofconcatenated signatures of smart contract functions and smart contractevents referenced by the bytecode module.
 4. The method of claim 1,wherein computing the bytecode digital fingerprint further comprises:computing a cryptographic hash of concatenated signatures of smartcontract functions and smart contract events referenced by the bytecodemodule, wherein a signature of the smart contract function isrepresented by a name of the smart contract function followed by a listof types of parameters of the smart contract function.
 5. The method ofclaim 1, wherein computing the bytecode digital fingerprint furthercomprises: computing a cryptographic hash of concatenated signatures ofsmart contract functions and smart contract events referenced by thebytecode module, wherein a signature of a smart contract event isrepresented by a topic of the smart contract event followed by a list oftypes of parameters of the smart contract event.
 6. The method of claim1, wherein the identified ABI definition further comprises a type of theparameter of the smart contract function.
 7. The method of claim 1,wherein producing the decoded transaction data further comprises:parsing the transaction data to extract a signature of the smartcontract function.
 8. The method of claim 1, wherein the distributedledger is compliant with Ethereum specification.
 9. The method of claim1, wherein the ABI definition is represented by a JSON file.
 10. Themethod of claim 1, wherein the transaction further comprises at leastone of: a transaction nonce, a destination transaction identifier, atransaction processing fee, a transaction value, or a cryptographicsignature of a node that has originated the transaction.
 11. The methodof claim 1, wherein the plurality of stored application binary interface(ABI) definitions are stored in a database in association withrespective ABI digital fingerprints, and wherein the database is indexedby the ABI digital fingerprints.
 12. The method of claim 1, furthercomprising: supplying the decoded transaction data to a data intake andquery system.
 13. The method of claim 1, further comprising: causing thedecoded transaction data to be rendered via a graphical user interface(GUI).
 14. A computing system, comprising: a memory; and one or moreprocessing devices coupled to the memory, the one or more processingdevices to: receive a transaction of a distributed ledger, wherein thetransaction includes transaction data and an identifier of an account ofthe distributed ledger; receive a bytecode module, wherein the bytecodemodule is associated with the account of the distributed ledger; computea bytecode digital fingerprint associated with the bytecode module;identifying, among a plurality of stored application binary interface(ABI) definitions, an ABI definition having an ABI digital fingerprintthat matches the bytecode digital fingerprint; and produce decodedtransaction data by parsing the transaction data to generate a name of asmart contract function, a name of a parameter of the smart contractfunction, and a value of the parameter of the smart contract function,wherein the name of the smart contract function and the name of theparameter are defined by the identified ABI definition.
 15. Thecomputing system of claim 14, wherein the bytecode module implements asmart contract.
 16. The computing system of claim 14, wherein computingthe bytecode digital fingerprint further comprises: computing acryptographic hash of concatenated signatures of smart contractfunctions and smart contract events referenced by the bytecode module.17. A non-transitory computer-readable storage medium comprisingcomputer-executable instructions that, when executed by a computingsystem, cause the computing system to: receive a transaction of adistributed ledger, wherein the transaction includes transaction dataand an identifier of an account of the distributed ledger; receive abytecode module, wherein the bytecode module is associated with theaccount of the distributed ledger; compute a bytecode digitalfingerprint associated with the bytecode module; identifying, among aplurality of stored application binary interface (ABI) definitions, anABI definition having an ABI digital fingerprint that matches thebytecode digital fingerprint; and produce decoded transaction data byparsing the transaction data to generate a name of a smart contractfunction, a name of a parameter of the smart contract function, and avalue of the parameter of the smart contract function, wherein the nameof the smart contract function and the name of the parameter are definedby the identified ABI definition.
 18. The non-transitorycomputer-readable storage medium of claim 17, wherein computing thebytecode digital fingerprint further comprises: computing acryptographic hash of concatenated signatures of smart contractfunctions and smart contract events referenced by the bytecode module,wherein a signature of the smart contract function is represented by aname of the smart contract function followed by a list of types ofparameters of the smart contract function.